Crypto wallet provider MetaMask reported a vulnerability that could affect a very small portion of its users. Discovered by blockchain security firm Halborn, the vulnerability could enable a bad actor to take possession of a user’s secret recovery phrase compromising his funds.
This vulnerability affects several web crypto wallets and allows an attacker to extract a secret recovery phrase from a personal computer. As mentioned, the vulnerability doesn’t affect all MetaMask users, but a very small portion.
This is because the user will need to meet 3 conditions to be subject to this attack: use an unencrypted hard drive, the user would have had to import the secret recovery phrase from the MetaMask web extension to a compromised device, or to be using the crypto wallet extension from an unsecured computer and use the “show secret recovery phrase” checkbox during the import process.
The crypto wallet provider prepared a migration guide to aid users to move their funds into a new wallet. In that sense, the company recommended users who meet these conditions and users who believe could meet them follow the guide. This document can be found at the following link.
Users with the intention to migrate to a new wallet should have enough funds to pay for the required gas fees, the wallet provider said. These fees can “become costly” depending on the user’s funds and the smart contracts “storing or managing those assets”.
Assets under the Ethereum ETC-20, ERC-721 (NFTs), and ERC-1155 standards should be a priority. The wallet provider warned:
“If your account has been compromised, it is possible that you have had a sweeper bot placed on your account. If this is the case, then as soon as you transfer tokens in, they may be transferred to the attacker’s address.”
Are Your MetaMask Funds Safe?
As MetaMask clarified, the vulnerability doesn’t impact their mobile users, but only users on macOS, Linux, and Windows using Google Chrome, Firefox, or Chromium-based web browsers. The company implemented a “mitigation” for this vulnerability.
In that sense, all users were asked to update their crypto wallets to the 10.11.3 version. Users were also encouraged to contact MetaMask Support for any additional assistance or information.
The company has awarded Halborn with a $50,000 bounty. Two days ago, the crypto wallet provided launched a bounty program called HackerOne to “work with the security community to find vulnerabilities in the wallet and stay ahead of Web3 threats”.
The program was launched with 4 security tiers with different bounties. Low security discovers will be paid a total of $1,000, medium $2,000, high $15,000, and critical, as the vulnerability described above, will be paid $50,000 for any discovery.
At the time of writing, Ethereum (ETH) trades at $1,180 with a 3% loss on the 4-hour chart.
