On the 15th of June, several companies providing crypto wallets – as well as the cybersec firm responsible for finding exploits – announced the existence and subsequent patching of a security issue affecting browser extension-based wallets.
The vulnerability, codenamed “Demonic”, was discovered by security researchers at Halborn, who contacted the affected companies last year. They have now made their findings public, after allowing affected parties to resolve the issue in advance to limit damage to end users.
Metamask, xDEFI, Brave, and Phantom Affected
The Demonic exploit – officially named CVE-2022-32969 – was originally discovered by Halborn back in May 2021. It affected wallets using BIP39 mnemonics, allowing recovery phrases to be intercepted by bad actors remotely or using compromised devices, ultimately leading to a hostile takeover of the wallet.
However, the exploit needed a very specific sequence of events to take place.
To start off, this issue did not affect mobile devices. Only wallet owners using unencrypted desktop devices were vulnerable – and they would have had to import the secret recovery phrase from a compromised device. Lastly, the “Show Secret Recovery Phrase” option would have had to be used.
Halborn quickly contacted the four companies endangered by the exploit, and work began in secret to fix the problem before it could be discovered by hackers.
“Due to the severity of the vulnerability and the number of impacted users, technical details were kept confidential until a good faith effort could be made to contact affected wallet providers.
Now that the wallet providers have had the opportunity to remediate the issue and migrate their users to secure recovery phrases, Halborn is providing in-depth details to raise awareness of the vulnerability and help prevent similar ones in the future.”
Problem solved, vigilantes rewarded
Metamask developer Dan Finlay has published a blog post urging users to update to the latest version of the wallet in order to benefit from the fix, which negates the issue. Finlay also asked them to pay attention to security in general, keeping devices encrypted at all times.
The blog post also announced the payout of $50k to Halborn for the discovery of the vulnerability as a part of Metamask’s bug bounty program, which pays out sums between $1k and $50k, depending on severity.
Phantom also released a statement about it, confirming that the vulnerability has been patched for its users by April 2022. The company also welcomed Osama Amri – the expert behind Halborn’s discovery – to Phantom’s cybersec team. .
All parties involved urged concerned users to ensure they have upgraded to the latest version of the wallet and to reach out to the respective security teams for any additional issues.
