SECURITY

Security firm reported a vulnerability in June, Near acknowledged it in August, urging users to change their private keys.

share
Security firm reported a vulnerability in June, Near acknowledged it in August, urging users to change their private keys.

The security firm Hacxyk reported a potential vulnerability to Near Protocol officials on 6/6. Although Near promptly addressed the issue, it was only when Hacxyk recently disclosed the problem to the Twitter community that Near publicly acknowledged the existence of the vulnerability. Near has committed to issuing a bug bounty and has urged users who have used email/text to recover private keys to change their private keys.

Near Wallet Vulnerability

The public blockchain Solana experienced hacking incidents on the Phantom and Slope wallets. Due to the potential similarity in vulnerabilities, the security firm Hacxyk chose to disclose a similar issue that occurred on the Near Protocol blockchain on 8/4 via Twitter. This issue involved Near wallet users choosing "Email" as the method to recover their mnemonic phrases, which led to the exposure of the mnemonic phrases to third-party organizations.

Hacxyk emphasized that such a design mechanism is highly insecure. In this case, the third party was the data analytics platform Mixpanel, which would have access to user private keys. If Mixpanel were to be hacked, Near wallet users who had chosen "Email" as their recovery method for the mnemonic phrases would face significant risks.

Updates from the Near Team

MyNearWallet and Near responded to this issue on 8/4 by removing the option to recover private keys via Email/SMS. The latter completely deleted the data collected by third-party services and strongly recommended users who had previously recovered their private keys via Email/SMS to change their private keys through wallet.near.org. Near stated:

We have not found any signs of risk caused by the unintentional collection of this data, and we have no reason to believe that this data still exists anywhere.

Concerns with Near's Handling

In fact, Hacxyk had reported this vulnerability to Near as early as 6/6, and Near promptly addressed the issue. However, it was not until Hacxyk disclosed the problem to the Twitter community on 8/4 that Near publicly acknowledged the existence of the vulnerability and pledged to issue a bug bounty. It was also at this time that they urged users who had recovered their private keys via Email/SMS to change their private keys.

When asked if they had received a bug bounty, Hacxyk initially stated:

The official statement was that a reward would be given, but the last response was already a month ago.