MetaMask and Phantom, two of the largest crypto wallet providers, disclosed in blog posts Wednesday they recently patched a security vulnerability that could have exposed sensitive login credentials to users with compromised devices.
The wallet providers say there is no evidence the vulnerability was ever exploited by attackers, meaning no user funds are known to have been affected.
MetaMask and Phantom – which discovered the bug based on a tip from blockchain security firm Halborn – informed at least 10 other browser-based hot wallets that they contained the same vulnerability. The full list of impacted – and patched – wallets is unclear at this time.
Although the vulnerability came with a narrow attack vector and there’s no evidence of it ever having been exploited by hackers, it highlights the inherent security risk of internet-connected hot wallets compared to more secure – albeit less-convenient – hardware wallets.
Should you be concerned?
MetaMask and Phantom are not recommending that most users take any action other than to update their browsers in order to ensure the wallets they are using are running the most up-to-date software versions.
According to the blog post from MetaMask you should only be concerned if you match all of the following conditions:
- Your hard drive was not encrypted
- You imported your Secret Recovery Phrase into a MetaMask extension on a device that is in possession of someone you do not trust, or your computer is compromised
- You used the “Show Secret Recovery Phrase” checkbox to view your Secret Recovery Phrase on-screen during that import process
“If your computer is not physically secure from people you do not trust, we recommend you enable full disk encryption on your system,” according to the MetaMask blog post. “Additionally, you are not affected by this if your funds are managed by a hardware wallet.”
Phantom’s blog post largely echoed that of MetaMask.
In its blog post, MetaMask outlines steps that users should take to move to a new wallet if they believe their credentials could have been compromised.
Halborn, which was rewarded a $50,000 bounty for disclosing the bug, recommended most users swap over to a new wallet address out of an abundance of caution.
Steve Walbroehl, Halborn’s co-founder, told CoinDesk, “Just given the fact that this is something that has been around for so long, you don’t know who possibly could have gotten [exploited]. Maybe you clicked on a bad phishing email and they have access to your machine. Maybe somebody took it before even though you’ve now upgraded. I just think out of an abundance of caution, given the criticality, it’s better to just change it.”
He continued, “My number one recommendation is to just get a hardware wallet.”
How it happened
If a user entered this phrase on a compromised or otherwise untrusted device, an attacker would have had the ability to swipe it from memory if he or she knew exactly where to look (or, more likely, had a specialized tool for the task).
A secret recovery phrase – also called a seed phrase or mnemonic phrase – is a series of 12 words that users receive when they set up a smart wallet, and it serves as a master key should users ever need to recover their wallet or set it up on a new device.
If a person’s secret recovery phrase falls into the hands of someone malicious, it could be used to seize full control of the person’s funds.
MetaMask was informed of the bug in July 2021 and issued a patch in March of this year. Phantom learned of the bug in September 2021 and issued several patches to address the issue between January and April 2022.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.