Blockchain network Near Protocol has disclosed a security breach that was discovered in June, which could have resulted in a third-party service gaining access to the seed phrases for user walletswallets.
Near shared a blog post on Thursday about the breach, which was reported to the team on June 6 by security firm Hacxyk. At the time, the platform let users set an email address or phone number as a recovery option for a Near Wallet, enabling them to regain access to a wallet via email or SMS.
However, the recovery system potentially exposed users’ seed phrases— the private keys used to recover access to a crypto wallet—in the process. According to a tweet thread from Hacxyk, using the email recovery option would leak the seed phrase to a specific third party, the analytics platform Mixpanel.
Back in June, we found a bug in @NEARProtocol wallet that was almost the same as the recent Solana wallet hack. When a Near wallet user chooses "email" as the seed phrase recovery method, the seed phrase is leaked to a third party site. https://t.co/gHWhmxE3Smpic.twitter.com/MK31xUeAeL
“This allows anyone with access to [the] Mixpanel access log, or the Mixpanel account owner (e.g. Near devs) to have access to everyone who has clicked the link in the recovery email,” Hacxyk tweeted. “A likely scenario would be [that] the Mixpanel owner’s account got compromised.”
Near said that it resolved the issue on the day it was reported, deleted the leaked information, and identified who might have had access to it. Hacxyk was also paid a bug bounty for discovering the breach. However, the security incident had apparently not been revealed to the public until Hacxyk did so on Wednesday via Twitter.
Thousands of Solana users collectively lost about $4.5 million worth of SOL and other tokens from Tuesday night into early Wednesday, and now there’s a likely explanation for why: it’s being blamed on a private key exploit tied to mobile software wallet Slope.
On Wednesday afternoon, the official Solana Status Twitter account shared preliminary findings through collaboration between developers and security auditors, and said that “it appears affected addresses were at one point created, imported...
Hacxyk shared the Near breach because of its technical similarity to this week’s Solana wallet hack. In the case of Solana, a mobile wallet called Slope had a vulnerability that enabled users’ private keys to be accessed by potential attackers.
Ultimately, nearly $6 million worth of cryptocurrency and tokens was swiped from more than 10,500 unique Solana wallets, according to updated data from blockchain explorer Solscan.
Near reports that its issue was handled before any damage was done to users’ wallets. “To date, we have found no indicators of compromise related to the accidental collection of this data, nor do we have reason to believe this data persists anywhere,” Near’s post reads.
Still, Near recommends that any users who previously enabled the email or SMS recovery option rotate the keys attached to their wallet, as well as disable the recovery option. Near is no longer letting newly-created wallets use the email or SMS recovery option.
Hacxyk, meanwhile, recommends that anyone that previously selected the email recovery option transfer their assets to a new wallet, just to be safe.
The NEAR token is up nearly 15% over the last 24 hours at a current price of $5.13 per token, according to CoinGecko. The wider crypto market is only up about 2% during that span.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
DFZ Labs, the creators of the Ethereum NFT project Deadfellaz, will launch a new asset verification tool that allows users to connect online and offline assets without signing blind transactions or smart contract approvals.
Coldlink, now in beta, enables blockchain users to connect their blockchain address to any asset in Web2, Web3, or real life without incurring the security risk of blind signing or smart contract approvals, DFZ Labs said.
“To ‘Coldlink’ something is to connect any digital ass...
Scammers are using cracked versions of TradingView Premium to drain crypto wallets.
The app is disguised as a “cracked” version of the real TradingView Premium app. Downloads of the malware infused versions are being distributed via Reddit and have often been found in cryptocurrency sub Reddits.
Victims have reported having their entire crypto wallets emptied. They were then impersonated by the scammers, who used their details to send out phishing attempts encouraging the victims’ contacts to d...
In a London office on Thursday, BitcoinOS developers completed the final code commit that would open-source BitSNARK, a specialized protocol enabling zero-knowledge verification on Bitcoin.
The move to open-source BitSNARK “unlocks programmability on Bitcoin” and aims to help developers “build and experiment in ways that were previously impossible,” Edan Yago, CEO and co-founder of BitcoinOS, told Decrypt.
The release follows BitcoinOS's July 2024 demo, which verified the first zero-knowledge pr...