Reading time: ~2 m
Hacxyk experts involved in the audit of smart contracts reported a vulnerability that could lead to the leakage of seed phrases of users of the NEAR Wallet wallet.
Back in June, we found a bug in @NEARProtocol wallet that was almost the same as the recent Solana wallet hack. When a Near wallet user chooses “email” as the seed phrase recovery method, the seed phrase is leaked to a third party site. https://t.co/gHWhmxE3Sm pic.twitter.com/MK31xUeAeL
— Hacxyk. (@Hacxyk) August 4, 2022
According to experts, wallet owners who chose e-mail as a way to recover the secret phrase could be at risk.
Hacxyk noted that with such a request, the seed phrase was sent directly to the user’s mail, which already jeopardizes its security, since mail services can access it.
The experts found that when clicking on the link, user data was sent to a third party, the Mixpanel business intelligence service. At the same time, the request itself contained a seed phrase.
The bug was discovered in June and has already been fixed. Hacxyk has advised all NEAR Wallet users who have ever chosen email as their recovery method to transfer assets to a new wallet and update their seed phrase.
Analysts said that the discovered bug is very similar to the one that could be exploited when hacking wallets based on Solana.
The Solana team previously linked the incident to wallet provider Slope. Some experts noted that Slope could store user seed phrases on its centralized servers, which were subsequently compromised by attackers.
Investigating firm OtterSec later confirmed that the Slope mobile app sent seed phrases to a centralized Sentry server, where they were stored unencrypted.
We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys. pic.twitter.com/PkCFTeQgOP
– OtterSec (@osec_io) August 4, 2022
The server contained data for approximately 1,400 addresses affected by the exploit. At the same time, more than 5,300 private keys found on Sentry have not yet been affected. Most of these addresses contain tokens. Specialists strongly recommended moving the funds.
SlowMist noted that the Phantom wallet team also used Sentry. However, analysts have not yet found evidence that the secret phrases of application users were stored on the server.
The researchers confirmed that the imToken and Sender wallets were not affected by the Sentry leak.
Our investigation concluded that @imTokenOfficial was not effected in the recent data leak involving Sentry. @SenderWallet & @Coin98 wallets were not effected as well since they don’t utilize Sentry services.
Specific versions for Android, iOS & Chrome extension can be shown👇 pic.twitter.com/roGMW0rw9D
— SlowMist (@SlowMist_Team) August 4, 2022
Recall that during the attack, hackers withdrew millions of dollars from about 8,000 Solana-based wallets.
Read about what a seed phrase is and what is the difference between custodial and non-custodial wallets in the ForkLog cards.
#Experts #confirmed #data #leakage #users #Solanawallet #Slope #similar #bug #Wallet
