Data Breach Reported on Aleo Blockchain Platform

The privacy-focused blockchain platform Aleo has reportedly exposed some user data, according to posts on the social network X.

Hey @AleoHQ

You just sent me someone’s KYC documents via email (including selfies and id card photos).

That makes me wonder, If I have someone else’s KYC document, who else have you sent mine to?

— Emir Soytürk | Devconnect ?? (@0xemirsoyturk) February 24, 2024

A Turkish student, Emir Soytürk, discovered that he received another person’s KYC data via email, including selfies and ID card photos.

“This makes me wonder: if I have someone else’s document, to whom have you sent mine?” he asked the project team.

Another user, under the pseudonym Selim C, confirmed experiencing the same issue.

I’ve just checked and same here. ??‍♂️

— Selim C (@selim_jpeg) February 24, 2024

Renowned on-chain analyst ZachXBT sarcastically advised them to keep the documents in their archives.

Aleo’s developers aim to facilitate the creation of applications based on zero-knowledge proofs (ZKP), which are used for privacy and data security.

To receive rewards, users must undergo the KYC process with a third-party provider, HackerOne, and a check by the U.S. Treasury’s Office of Foreign Assets Control.

Mike Sarvodaya, founder of the blockchain project Galactica, told Cointelegraph that the ZKP protocol should never allow access to user data.

“The irony is that a programmable privacy protocol uses a third party to collect unencrypted KYC data, which then becomes public,” he said.

The expert speculated that the Aleo team was so confident in their ZKP stack that they overlooked basic operational security.

In an interview with The Block at the end of January, Aleo Foundation head Alex Pruden stated that the project’s mainnet would launch in “the coming weeks.” He noted that developers still need to fix several bugs identified through six audits and two bounty programs.

In subsequent posts on X, Emir Soytürk reported that after communicating with him, the team allegedly “fixed” the KYC data issue.

In 2022, the project raised $200 million in a Series B funding round.

In October 2023, leading mining equipment manufacturer Bitmain announced the release of an Antminer device for the Aleo blockchain, despite the absence of a mainnet and token.