A vulnerability that could jeopardize the security of funds placed on MetaMask and Phantom has been disclosed by the 2 entities, and would affect some people who used the secret phrase import process. However, the vulnerability has been fixed on both portfolios, so it is strongly advised to perform any update that may be necessary.
Some MetaMask and Phantom wallets compromised
On Wednesday, June 15, MetaMask published a blog post explaining that a flaw had been discovered in an older version of its wallet, which could compromise the security of users’ funds.
This flaw only affects users using MetaMask on their computer through a browser, so people using the mobile application are not affected. According to the release, the flaw has been fixed since version 10.11.3.
To this end, the firm strongly encourages its users to update if necessary. However, this would concern, at first sight, only a handful of users of the famous Ethereum wallet.
Indeed, according to MetaMask, a user is potentially concerned if he meets the following 3 conditions:
- His hard disk was not encrypted;
- He imported his secret recovery phrase in a MetaMask browser extension on a potentially risky computer;
- If he checked the “Show secret recovery phrase” box during the import process.
If you meet all of these conditions, then your wallet could be exposed. The MetaMask team strongly recommends, in this case, to transfer the funds to a new wallet to a secure device.
In addition, the vulnerability would particularly affect users who used the import method on a compromised or stolen device shortly thereafter.
However, the press release specifies that people using a hardware wallet (such as Ledger) to secure their funds are spared from this potential risk. An opportunity to remind how crucial it is to secure your cryptocurrencies via this type of wallet.
Phantom wallet also affected
Phantom, one of the main wallets of the Solana blockchain (SOL), is also affected. According to its own statement, patches have started to be applied little by little since January, until the flaw was completely fixed with an update in April.
The flaw is similar to the MetaMask wallet. In other words, a Phantom user can be affected as soon as he has imported his secret recovery phrase from a potentially vulnerable browser.
It is the company specialized in blockchain security Halborn that discovered the vulnerability first, before reporting it to the development teams of the 2 wallets, which did not fail to thank it. MetaMask chose to pay her $50,000 as a reward.
The security engineer who discovered the flaw last year has since joined the Phantom team, which the company says has added real value to the security of its users:
“We are delighted to welcome Osama Amri, who discovered the threat last year while at Halborn […]. Thanks to the hard work of engineers Josiah Savary and Laamia Islam, not only have substantial parts of our code base been modified, but we have also completely rewritten the way we generate seed phrases.”
Phantom’s release states that the details of the vulnerability were not disclosed earlier so that all parties involved can provide a suitable fix. The firm also wants to share the source code of part of its wallet to help its counterparts:
“Once additional audits have been completed this summer, we plan to open the source code for our approach to the BIP-39 package for generating boot phrases so that other wallets can also better protect themselves and their users.”
Once again, let us remind you that the best security for your cryptocurrencies is and will remain a hardware wallet, so that you are in complete control of your funds.