Attackers with physical access to a user's device may be able to see the wallet's seed phrase, the security firm said.
ScaleBit, a subsidiary of security auditor BitsLab, has flagged a purported vulnerability that could potentially compromise “all stored assets” in decentralized exchange (DEX) Uniswap’s Web3 wallets, ScaleBit told Cointelegraph on Jan. 13.
The alleged “flaw enables attackers with physical access to the device to bypass the wallet’s authentication mechanisms and directly retrieve the mnemonic phrase stored on the device,” ScaleBit said in a statement.
A Web3 wallet’s mnemonic phrase, also known as a “seed phrase,” is a string of typically 12 to 24 random words that grants full control over a wallet’s assets from any device.
“[A]nyone with access to an unlocked device can obtain the wallet’s mnemonic phrase in under three minutes,” ScaleBit said, adding that “[alarmingly], this version persists even in the latest version of the app.”
ScaleBit said Uniswap Wallet users should avoid lending divides to others as a precautionary measure until the vulnerability is patched.
Uniswap representatives did not immediately respond to requests for comment. Cointelegraph was unable to independently verify the vulnerability.
Related: Winners and losers of 2024: A year of all-time highs, hacks and holding
Exploit losses
In 2024, cryptocurrency lost to cybersecurity exploits increased 40% over the year prior to some $2.3 billion, security firm Cyvers told Cointelegraph in December.
The rise reflected an increase in access control breaches, particularly in centralized exchanges (CEXs) and crypto custodians, according to Deddy Lavid, co-founder and CEO of Cyvers. Comprises of mnemonic phrases are a common type of access control breach.
Notably, losses to crypto scams, exploits, and hacks tapered off in the last months of 2024, with December registering the smallest amount stolen, blockchain security firm CertiK said in a Dec. 31 post on X.
CertiK said December saw $28.6 million in known losses to exploits, hacks, and scams, versus $63.8 million in November and $115.8 million in October.
Blockchain security firm PeckShield shared similar data in a Jan. 1 post on X. It recorded $24.7 million in hack losses in December, which it said was a 71% decrease from November.
Magazine: Crypto to ‘Banana Singularity,’ Bybit halts India services, and more: Hodler’s Digest, Jan. 5 – 11