As early as June 6, the security agency Hacxyk officially reported the potential vulnerability to Near Protocol. Although Near dealt with the vulnerability problem quickly, it did not publicly acknowledge the existence of the vulnerability until Hacxyk disclosed this problem to the Twitter community recently, and promised to pay the vulnerability bounty.
It urges users who have used Email/ text messages to recover their private keys to replace them.
Solana, the public chain of Near wallet vulnerability, suffered from the hacking of Phantom and Slope wallets. Due to the potential similarity of vulnerabilities, Hacxyk, a security agency, chose to disclose similar problems existed in another public chain Near Protocol on Twitter on 8/4.
That is, when the Near Wallet user chooses Email as the way to recover the mnemonic, the mnemonic is leaked to the third party.
Hacxyk emphasizes that such a design mechanism is very insecure. In this case, the third party, namely the data analysis platform Mixpanel, will have access to the user’s private key. If Mixpanel is hacked, the Near Wallet users who have chosen Email as the recovery mnemonic will face great risks.
Near team has updated MyNearWallet and Near official both responded to this issue on August 4th, saying that they have deleted the option to recover the private key by Email/ SMS. The latter completely cleared the data collected by the third party service, and strongly recommends users who have actually used Email/ SMS to recover the private key in the past.
By asking wallet.near.org to change its private key, Near said: “We have found no indication of risk as a result of the accidental collection of this data, and we have no reason to believe that this data still exists anywhere.”
In fact, Hacxyk reported this vulnerability to Near as early as June 6, and Near immediately dealt with the problem. However, it was not until Hacxyk disclosed this problem to the Twitter community on August 4 that Near publicly acknowledged the existence of the vulnerability and promised to pay the vulnerability bounty.
It is also at this time that users who have used Email/ SMS to recover their private keys are urged to change their private keys.
Hacxyk initially replied to the community about whether there was a bug bounty: “There was an official announcement that a bounty would be given, but it’s been a month since the last response.