- A crypto wallet vulnerability called ‘Demonic’ Halborn has been patched by major wallet suppliers
- The Demonic vulnerability could have seen many wallet users’ recovery phrases compromised
- The flaw has now been patched in all affected wallets
A major crypto wallet vulnerability discovered last year has been patched thanks to the combined efforts of several entities. The ‘Demonic’ vulnerability, officially called CVE-2022-32969, affected wallets using BIP39 mnemonics and would have allowed recovery phrases to be intercepted by bad actors remotely or by using compromised devices, ultimately leading to a hostile takeover of the wallet. Security firm Halborn has been credited with discovering the flaw, which has now been patched on major wallets such as Metamask, Brave and Fantom.
⚠Halborn Receives Major Security Bounty from @MetaMask for Critical Discovery⚠
We disclosed a critical vulnerability affecting @MetaMask, @Brave, @Phantom, @xdefi_wallet, and other browser based crypto wallets – A short 🧵 on the vulnerability and how to protect 🔐 yourselves:— Halborn (@HalbornSecurity) June 15, 2022
Demonic Discovered in May 2021
Halbron first discovered Demonic in May 2021, learning that the vulnerability led to secret recovery phrases for users of many major crypto wallets being stored unencrypted on the computer’s hard disk when an account was created or recovered using the seed phrase.
The exploit needed a very specific sequence of events to take place to work – the user’s hard drive had to be unencrypted and the recovery phrase had to have been imported into a browser extension wallet using a device that was no longer in the user’s possession or was “logically compromised”. This meant that mobile wallets were not impacted, only wallets on machines with a separate drive.
All Affected Wallets Now Patched
Should the Demonic exploit have been activated, the recovery phrase could have been used to compromise the wallet and the funds taken. Halborn reported that it has been working with the major wallet providers ever since discovering it, with users now safe as long as they use the latest version of their browser.
Despite the conditions of the exploit being very specific, Metamask apparently found it serious enough to be classed as a “critical discovery” and awarded Halborn with a “major security bounty”.
