Blockchain network Near Protocol has disclosed a security breach that was discovered in June, which could have resulted in a third-party service gaining access to the seed phrases for user walletswallets.
Near shared a blog post on Thursday about the breach, which was reported to the team on June 6 by security firm Hacxyk. At the time, the platform let users set an email address or phone number as a recovery option for a Near Wallet, enabling them to regain access to a wallet via email or SMS.
However, the recovery system potentially exposed users’ seed phrases— the private keys used to recover access to a crypto wallet—in the process. According to a tweet thread from Hacxyk, using the email recovery option would leak the seed phrase to a specific third party, the analytics platform Mixpanel.
Back in June, we found a bug in @NEARProtocol wallet that was almost the same as the recent Solana wallet hack. When a Near wallet user chooses "email" as the seed phrase recovery method, the seed phrase is leaked to a third party site. https://t.co/gHWhmxE3Smpic.twitter.com/MK31xUeAeL
“This allows anyone with access to [the] Mixpanel access log, or the Mixpanel account owner (e.g. Near devs) to have access to everyone who has clicked the link in the recovery email,” Hacxyk tweeted. “A likely scenario would be [that] the Mixpanel owner’s account got compromised.”
Near said that it resolved the issue on the day it was reported, deleted the leaked information, and identified who might have had access to it. Hacxyk was also paid a bug bounty for discovering the breach. However, the security incident had apparently not been revealed to the public until Hacxyk did so on Wednesday via Twitter.
Thousands of Solana users collectively lost about $4.5 million worth of SOL and other tokens from Tuesday night into early Wednesday, and now there’s a likely explanation for why: it’s being blamed on a private key exploit tied to mobile software wallet Slope.
On Wednesday afternoon, the official Solana Status Twitter account shared preliminary findings through collaboration between developers and security auditors, and said that “it appears affected addresses were at one point created, imported...
Hacxyk shared the Near breach because of its technical similarity to this week’s Solana wallet hack. In the case of Solana, a mobile wallet called Slope had a vulnerability that enabled users’ private keys to be accessed by potential attackers.
Ultimately, nearly $6 million worth of cryptocurrency and tokens was swiped from more than 10,500 unique Solana wallets, according to updated data from blockchain explorer Solscan.
Near reports that its issue was handled before any damage was done to users’ wallets. “To date, we have found no indicators of compromise related to the accidental collection of this data, nor do we have reason to believe this data persists anywhere,” Near’s post reads.
Still, Near recommends that any users who previously enabled the email or SMS recovery option rotate the keys attached to their wallet, as well as disable the recovery option. Near is no longer letting newly-created wallets use the email or SMS recovery option.
Hacxyk, meanwhile, recommends that anyone that previously selected the email recovery option transfer their assets to a new wallet, just to be safe.
The NEAR token is up nearly 15% over the last 24 hours at a current price of $5.13 per token, according to CoinGecko. The wider crypto market is only up about 2% during that span.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
As catastrophic floods ravage central Texas and North Carolina, emergency responders are using professional and military-grade drones with infrared and real-time video to map flood zones, locate stranded victims, and direct rescue teams.
In Texas, MQ-9 Reapers flying 18,000 feet above the impacted area assisted first responders in locating missing victims of the flooding, including those from Camp Mystic, a summer camp where 27 children and counselors lost their lives.
But while drones assist in...
Minna Bank, Japan’s first digital-only bank and a subsidiary of Fukuoka Financial Group, announced Thursday it is exploring the use of stablecoins and digital wallets to support everyday financial services and payments in the country.
The initiative is part of a joint study in collaboration with Fireblocks, Solana Japan, and Japanese tech firm TIS, aiming to assess the practical applications of stablecoins and decentralized wallets in real-world banking.
The study will examine use cases includin...
If you follow the latest in Bitcoin happenings, then you may have seen the name “Alkanes” pop up on your timeline via Ordinals and Runes enjoyers. But what is it?
Alkanes is a new metaprotocol built on Bitcoin that introduces trustless smart contract functionality to the base layer, without relying on bridges or external execution layers. It allows developers to build apps and launch tokens natively on Bitcoin, expanding the functionality of the original blockchain.
Developed by Oyl Corp, the pr...