Experts confirm data leak affecting Solana wallet Slope; similar bug found in NEAR Wallet
A team of smart-contract auditing specialists at Hacxyk reported a vulnerability that could have exposed NEAR Wallet users’ seed phrases.
Back in June, we found a bug in @NEARProtocol wallet that was almost the same as the recent Solana wallet hack. When a Near wallet user chooses «email» as the seed phrase recovery method, the seed phrase is leaked to a third party site. https://t.co/gHWhmxE3Sm pic.twitter.com/MK31xUeAeL
— Hacxyk. (@Hacxyk) August 4, 2022
According to the experts, holders who chose email as their seed phrase recovery method could be at risk.
Hacxyk noted that, with such a request, the seed phrase was sent directly to the user’s email, which already jeopardises its security, as email services may gain access to it.
Experts found that following the link, user data was sent to a third party — the analytics service Mixpanel. The request itself contained the seed phrase.
The bug was discovered in June and has since been fixed. Hacxyk recommended that all NEAR Wallet users who had ever chosen email as the recovery method transfer their assets to a new wallet and update their seed phrase.
The NEAR Protocol developers confirmed Hacxyk’s findings. They disabled the ability to recover access to NEAR Wallet via email or SMS.
To maintain the highest level of security, https://t.co/kC71fCMqbo no longer allows users to create accounts using email or sms for account recovery.
— NEAR Protocol | NEARCON.org | Lisbon | Sept 11-14 (@NEARProtocol) August 4, 2022
Analysts said the bug was very similar to the one that could be exploited in Solana-based wallet hacks.
Earlier the Solana team linked the incident to the wallet provider Slope. Some researchers noted that Slope could have stored users’ seed phrases on its centralised servers, which were subsequently compromised by attackers.
Subsequently the incident-investigating firm OtterSec confirmed that Slope’s mobile app sent seed phrases to a centralized Sentry server, where they were stored in plaintext.
We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys. pic.twitter.com/PkCFTeQgOP
— OtterSec (@osec_io) August 4, 2022
The server contained data for about 1,400 addresses affected by the exploit. At the same time, more than 5,300 private keys found on Sentry had not yet been compromised. Most of these addresses held tokens. Experts urged users to move their funds.
SlowMist noted that the Phantom wallet team also used Sentry. However, analysts have not yet found evidence that the server stored users’ seed phrases for the app.
Researchers confirmed that the imToken and Sender wallets were not affected by the Sentry leak.
Our investigation concluded that @imTokenOfficial was not effected in the recent data leak involving Sentry. @SenderWallet & @Coin98 wallets were not effected as well since they don’t utilize Sentry services.
Specific versions for Android, iOS & Chrome extension can be shown👇 pic.twitter.com/roGMW0rw9D
— SlowMist (@SlowMist_Team) August 4, 2022
As noted, during the attack hackers drained millions of dollars from about 8,000 Solana wallets.
To learn what a seed phrase is and how custodial and non-custodial wallets differ, read the ForkLog cards.
Read Bitcoin news from ForkLog in our Telegram — crypto news, prices and analysis.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!