This vulnerability affects several web crypto wallets and allows an attacker to extract a secret recovery phrase from a personal computer. As mentioned, the vulnerability doesn’t affect all MetaMask users, but a very small portion.
This is because the user will need to meet 3 conditions to be subject to this attack: use an unencrypted hard drive, the user would have had to import the secret recovery phrase from the MetaMask web extension to a compromised device, or to be using the crypto wallet extension from an unsecured computer and use the “show secret recovery phrase” checkbox during the import process.
Users with the intention to migrate to a new wallet should have enough funds to pay for the required gas fees, the wallet provider said. These fees can “become costly” depending on the user’s funds and the smart contracts “storing or managing those assets”.
Assets under the Ethereum ETC-20, ERC-721 (NFTs), and ERC-1155 standards should be a priority. The wallet provider warned:
If your account has been compromised, it is possible that you have had a sweeper bot placed on your account. If this is the case, then as soon as you transfer tokens in, they may be transferred to the attacker’s address.
As MetaMask clarified, the vulnerability doesn’t impact their mobile users, but only users on macOS, Linux, and Windows using Google Chrome, Firefox, or Chromium-based web browsers. The company implemented a “mitigation” for this vulnerability.
In that sense, all users were asked to update their crypto wallets to the 10.11.3 version. Users were also encouraged to contact MetaMask Support for any additional assistance or information.
The program was launched with 4 security tiers with different bounties. Low security discovers will be paid a total of $1,000, medium $2,000, high $15,000, and critical, as the vulnerability described above, will be paid $50,000 for any discovery.
At the time of writing, Ethereum (ETH) trades at $1,180 with a 3% loss on the 4-hour chart.