On the 15th of June, several companies providing crypto wallets – as well as the cybersec firm responsible for finding exploits – announced the existence and subsequent patching of a security issue affecting browser extension-based wallets.
The vulnerability, codenamed “Demonic,” was discovered by security researchers at Halborn, who approached affected companies last year. They have now gone public with their findings, having allowed affected parties to fix the issue beforehand in a bid to limit damage to end-users.
Metamask, xDEFI, Brave, and Phantom Affected
The Demonic exploit – officially named CVE-2022-32969 – was originally discovered by Halborn back in May 2021. It affected wallets using BIP39 mnemonics, allowing recovery phrases to be intercepted by bad actors remotely or using compromised devices, ultimately leading to a hostile takeover of the wallet.
However, the exploit needed a very specific sequence of events to take place.
To start off, this issue did not affect mobile devices. Only wallet owners using unencrypted desktop devices were vulnerable – and they would have had to import the secret recovery phrase from a compromised device. Lastly, the “Show Secret Recovery Phrase” option would have had to be used.
⚠Halborn Receives Major Security Bounty from @MetaMask for Critical Discovery⚠
We disclosed a critical vulnerability affecting @MetaMask, @Brave, @Phantom, @xdefi_wallet, and other browser based crypto wallets – A short 🧵 on the vulnerability and how to protect 🔐 yourselves:
— Halborn (@HalbornSecurity) June 15, 2022
Halborn promptly reached out to the four companies found to be endangered by the exploit, and work began in secret to fix the issue before it could be discovered by black hat hackers.
“Due to the severity of the vulnerability and the number of impacted users, technical details were kept confidential until a good faith effort could be made to contact affected wallet providers.
Now that the wallet providers have had the opportunity to remediate the issue and migrate their users to secure recovery phrases, Halborn is providing in-depth details to raise awareness of the vulnerability and help prevent similar ones in the future.”
Issue Solved, Vigilantes Rewarded
Metamask dev Dan Finlay published a blog post urging users to update to the latest version of the wallet in order to benefit from the patch, which nullifies the issue. Finlay also asked them to pay attention to security in general, keeping devices encrypted at all times.
The blog post also announced the payout of $50k to Halborn for the discovery of the vulnerability as a part of Metamask’s bug bounty program, which pays out sums between $1k and $50k, depending on severity.
Phantom also issued a statement on the matter, confirming the vulnerability was patched for its users by April 2022. The company also welcomed Oussama Amri – the expert behind Halborn’s discovery – to Phantom’s cybersec team.
1/ As of April 2022, Phantom users are protected from the “Demonic” critical vulnerability in crypto browser extensions.
— Phantom (@phantom) June 15, 2022
All parties involved urged concerned users to ensure they have upgraded to the latest version of the wallet and to reach out to the respective security teams for any additional issues.