Solana wallet Phantom announced Wednesday that it’s rolling out a new update next week to further strengthen its security after it patched a “demonic vulnerability” discovered by blockchain cybersecurity firm Halborn in May of last year.

The vulnerability affected MetaMask, Phantom, Brave, and XDefi browser extension wallets. When any of these wallets were imported using a seed phrase, secret recovery phrases “may have been stored on-disk unencrypted.”

This means that anyone using a borrowed computer or any unencrypted computer may be at risk of losing the assets in their wallet if an attacker is able to access their hard drive.


Ethereum wallet MetaMask quietly patched this vulnerability back in March with version 10.11.3, which modifies the recovery phrase input process into “one-field-per-word.”

In a blog post Wednesday, MetaMask said mobile app users are not affected by the exploit.

Phantom said it learned about the vulnerability in September 2021. It began making fixes in January 2022, but fully patched the vulnerability in April of this year. 

Phantom added that it would be rolling out another substantial security patch next week.


Halborn reported Wednesday that Brave and XDefi have also since patched the vulnerability.

MetaMask said it awarded Halborn with $50,000 for discovering the security exploit, and reassured users that the exploit only affects “a small segment of users.” 

It also said that anyone with a fully-encrypted hard drive would be immune to the vulnerability.

“Users who use full disk encryption are totally immune to the approach reported, and we recommend it for all users just to be extra safe,” MetaMask wrote on Twitter.

Since the exploit was discovered, Phantom shared that it has hired the Halborn employee who discovered the vulnerability, Oussama Amri, as a security engineer.

“Substantial parts of our codebase have changed,” Phantom said, adding that it would make parts of its code open source in the near future.

MetaMask advised anyone who might have been using an older version of its browser extension with an unencrypted hard drive—who imported their secret recovery phrase on a potentially compromised device and selected the “Show Secret Recovery Phrase” checkbox—should consider migrating to a new wallet.

Stay on top of crypto news, get daily updates in your inbox.