On March 6th, the MyAlgo team advised its users that they should rekey any accounts created via their web-based Algorand (ALGO) blockchain wallet.
https://twitter.com/myalgo_/status/1632862464244162560
- myalgo_
It would appear that some mnemonic phrases have been compromised, and a few high-profile accounts, with a considerable amount of tokens, have been compromised.
MyAlgo is a convenient web-based wallet that allows users to interact with Algorand dapps, such as DEXes like Tinyman, and the up-and-coming MFT (music fungible token) project Opulous.
After discovering the attack, MyAlgo has recommended that users rekey their accounts using the mobile app DeFly, or Pera Wallet, which also has a web version.
In Pera Wallet the user needs to create a new account, and then import their original MyAlgo account using the mneumonic phrase, which they should have securely stored somewhere. At that point, the MyAlgo account can be rekeyed to the new account.
The detailed instructions on how to rekey an account using Pera Wallet (web version) can be found here:
This is a reminder that crypto isn't flawless. Even if you own the keys to your crypto, the wallet code can contain vulnerabilities. This is why security audits and diversification of one's assets is so important, especially when a wallet is relatively new.
There have been other high-profile crypto wallet attacks in the past, such as the Parity Multisig Wallet attack on Ethereum that allowed an attacker to steal over 150,000 ETH back in 2017.
In addition to technical faults, there are also phishing schemes, where thieves attempt to steal your mneumonic phrase by posing as a support agent in a Telegram chat, or send you a link where you are asked to enter your seed phrase.
How do we protect ourselves from these kinds of vulnerabilities? First of all, it's a good idea to have your funds diversified among multiple projects, especially when we are still in these experimental phases. If you have considerable wealth locked into one specific token, you may even consider spreading it over multiple wallets, so that one hack like this doesn't mean you lose everything.
This is all part and parcel of being here in the wild wild west of cryptocurrency. As time progresses, security will harden, and these vulnerabilities will eventually be a thing of the past.
What other strategies do you employ to avoid loss of funds from attacks like these?
Image source: 1