There was a nasty bug around OG crypto holders that affected one of the most important parts of the Web3 infrastructure: the MetaMask wallet. Since December, a crypto-skeptic news site has reported that more than 5,000 Ether (ETH) worth about $10.5 million has been stolen from crypto veterans using various out-of-custody wallets. Protos referring to an informal survey conducted by the founder of MyCrypto. Taylor Monahan.
kind of Developers of ConsenSysThe private blockchain software company that built most of Ethereum’s open source tools, including the MetaMask wallet and the Infura app toolkit, is investigating an exploit that appears to be “deliberately” targeting people who need to know the ins and outs of the autocrypto. security and guarding.
This article is excerpted from The Node, CoinDesk’s daily roundup of the most important developments in blockchain and crypto news. You can subscribe to take full advantage newsletter here.
“This is NOT a hidden phishing site or random scammer. It doesn’t hurt anything. He ONLY writes OGs,” Monahan, who goes by the name “Tay,” wrote on Twitter. According to Tay’s preliminary investigation, which affected keys generated between 2014 and 2022 and at least 11 blockchains, Monahan’s on-chain research found that the unexplained vulnerability could affect “all wallets,” including, but not limited to, MetaMask.
I mention this exploit so as not to spread fear, uncertainty and doubt, especially not on the most widely used Web3 portal. It doesn’t seem to be targeting average or casual MetaMask users or cryptocurrency users in general at this time. But it’s time to remember good portfolio practices and take stock of your holdings. Depending on the mass nature of the attack and the origin of the victims, the consequences can be severe.
The key now is to make everyday cryptocurrency users not only feel safe, but to make sure they actually exist. In an email, a ConsenSys spokesperson confirmed that the attack targeted ETH early adopters or people working in the industry — or at least active enough to fall into the “crypto natives” category. Additionally, the spokesperson noted that the attack is much broader than MetaMask, and that “an attacker’s on-chain behavior is highly suggestive of a private key compromise.”
“Current research shows that this particular attack vector is where these users’ secret recovery phrases were compromised due to deliberately not saving them. about said sentence,” said the MetaMask security team.
Unknown attacker(s)
As mentioned above, much is still unknown about the attack and the attackers. It is unclear whether this is a coordinated effort by several skilled hackers or a single actor, or whether multiple people are finding and exploiting the same vulnerabilities. Monahan said most of the attacks occurred between 10:00 a.m. and 1:00 p.m. UTC, indicating that it may have been a single organization that received highly compromised information.
Monahan said in his post that an attacker may have obtained a cache of data that could help them gain access to users’ private keys or a wallet recovery phrase. He made it clear that the issue was not related to MetaMask’s underlying cryptography and was not a social engineering scam like phishing.
However, the exploit has some common features: most of the attacks took place over the weekend, and the exploit traded assets in the victim’s wallet for ether (often bypassing staking, immutable tokens, and lesser-known coins), pooling that ETH, and then transferring it. According to Monahan, the attacker often returned hours, days or weeks after the initial attack to swipe the remaining funds.
“The chain robbery and the movement after the robbery is very unusual,” Monahan said, hoping to open doors to identifying the attacker and recovering the assets. He said several attempts at “recovery” have so far been successful.
ConsenSys confirmed the attack in an email and said it encouraged people to contact its support team “about any specific situations.” The company acquired startup MyCrypto from Monahan in February 2022, after introducing a “fraud blocklist” to MyCrypto (aka CryptoScamDB) in 2017, which was used to protect MetaMask users from accessing known scam URLs, according to an announcement at the time.
Monahan and ConsenSys also emphasize the importance of mutual cooperation and sharing of information and resources at that time. Unfortunately, the crypto community has a habit of blaming the victims of the hack. “Stop shaming people. They’re not stupid,” Monahan wrote, noting that if you’re hacked, sharing the details publicly will help the distributed Web3 hive mind find a solution.
“Web3 belongs to everyone, and we should all try to protect each other,” said a ConsenSys spokesperson.
Best practices
As for best practices, Monahan wrote in all caps: “DO NOT KEEP ALL YOUR ASSETS IN ONE KEY OR FOR YEARS.” While this is mostly only useful in retrospect, it does warn users to segregate their assets, use a hardware wallet, and transfer funds from internet-connected accounts. Additionally, MetaMask shared this bulleted list:
- Never store your private key or secret recovery phrase online, always write it down somewhere and keep it safe.
- Get and use a hardware wallet, but like MetaMask, don’t store your private key or passphrase on any network (or really, any internet-connected device).
- If you’ve gotten to the point where your wallet is so out of date that you can’t remember if you’ve always been 100% enthusiastic about its keys, consider creating a new wallet (meaning a new passphrase, not a new account) and moving your funds there
- Perform regular security checks and audits to ensure you’re up to date with security best practices, and as (Monahan) mentions, consider splitting your assets into multiple recovery phrases and using hardware wallets.
As the nature of the exploit is revealed, this story is likely to expand further. Apparently, many long-time cryptocurrency users around the world have been exposed for months without much word filtering. As long as crypto continues to hold value, wallet users face such risks. A record $3.8 billion worth of crypto was stolen last year through fraud, hacking and theft, according to the latest data from Chainalysis.
CoinDesk recently released a list of “Projects to Watch” representing protocols and companies that they feel comfortable offering to users. I wrote about the popular Rainbow Wallet, which is often spread by word of mouth due to its simple interface and built-in security features.
See also: PayPal Crypto Wallet works with MetaMask to offer easy crypto trading
Rainbow, like most cryptocurrency wallets, has rolled out a number of security features to help protect the wallets, including pop-up messages to alert users of suspicious addresses users may be interacting with, as well as authentication tools to prevent people from sending assets. incorrect or incorrect addresses. dead addresses. Basic security features like these should be standard in crypto (among other wallets with similar protections as MetaMask, to be clear).
But at the same time, cryptocurrency users and malicious actors seem to be constantly playing cat and mouse. With every technological advancement released to protect the uninformed, there may be a workaround. And if Monahan is right, even years of experience don’t guarantee you’ll be safe. There are best practices to follow and pitfalls to avoid – but at this point it’s clear that fraud is endemic to crypto.
Where does this leave Web3? It’s not like banks or fintech apps are immune to hackers or fraud, but users should be able to trust even “untrusted” technologies.
UPDATE (April 18, 2023 – 23:30 UTC): ConsenSys adds comments and adds a sentence stating that all wallets are vulnerable, not just MetaMask.
The views and opinions expressed herein are those of the author and reflect those of Nasdaq, Inc.
All news on the site does not represent the views of the site, but we automatically submit this news and translate it through software technology on the site rather than a human editor.
