Caution on Possible Mnemonic Phrase Exposure During Wallet Registrations on Replit
Background
Recently, some victims contacted the SlowMist security team for assistance after experiencing asset loss while using the online programming platform Replit to create wallets for the Atomicals protocol. These victims had deposited ATOM, an ARC20 token minted by the Atomicals protocol, into their wallets in multiple transactions. However, they discovered a total of 90,000 ATOM tokens had been stolen. According to the victims, the leakage of their private keys or mnemonic phrases occurred during the process of copying and pasting on a webpage.
Replit Wallet Creation Analysis
atomicals-js, available at https://github.com/atomicals/atomicals-js is a tool developed and published on GitHub by the official Atomicals team. It consists of a command-line interface and a JavaScript library designed to facilitate user interaction with the Atomicals protocol through JavaScript. This library is particularly useful for developers as it simplifies the integration and interaction with the Atomicals protocol, making it more efficient to write, deploy, and manage applications based on Atomicals.
Replit is a well-known online programming platform, offering an online Integrated Development Environment (IDE) supporting various programming languages like Python and JavaScript. It offers features such as coding directly in the browser, quick project startup, and code sharing, making it highly convenient for programmers and developers.
On social media platforms like Weibo, Twitter, and YouTube, there are numerous tutorials on registering ARC20 wallets. Some of these tutorials specifically explain how to deploy the atomicals-js project online using Replit to create wallets and how to transfer ATOM ARC20 tokens, among other tasks.
Such tutorials, while not limited to guides for beginners with ARC20 tokens, also recommend using the Replit platform. Due to its ease of use and wide support for various programming languages, Replit has become the platform of choice in many of these tutorials and for users.
Although the tutorials are not limited to introducing ARC20 tokens, they also recommend using the Replit platform.
A significant characteristic of the Replit platform is its public nature. Code deployed on this platform is open and accessible to everyone. When the atomicals-js project is deployed and run, it generates a file named wallet.json in the project directory. This file contains sensitive information such as generated mnemonic phrases, private keys, and addresses.
It’s important to note that with simple searches or techniques like Google Hacking, it’s easy to find projects using atomicals-js and running on Replit, and thus locate instances containing the wallet.json file. This means that anyone could potentially access these files containing sensitive information, posing a security risk.
Therefore, creating wallets by following these tutorials poses significant risks. It is advisable to avoid running code containing sensitive information on publicly accessible platforms, especially when it involves cryptocurrency wallets or private keys. For security purposes, it’s essential to choose a more secure and reliable environment for generating and managing cryptocurrency wallets.
MistTrack Analysis
Analysis using the MistTrack tool revealed that on September 23, the victim transferred several transactions of ATOM (reportedly totaling 98,000) to their created ARC20 wallet address “bc1pt046u0mew4yq83ftwrp3eqfalvf8d6g6lncnmnf3l4zaaalpl54qwvxuqp”. However, these tokens were transferred to a hacker’s address “bc1psanyvngxqgwxcssfwryl8mva7em4pmp37jcck2m67xtux8l887js7ezvev” on September 24. This finding highlights the potential security risks in cryptocurrency transactions, especially when using online platforms and tools, where users need to be extra vigilant.
Using https://satsx.io/ to query, you can see that there are currently 68,000 ATOM ARC20 tokens stolen by hackers that have not been transferred.
Conclusion
The attack method discussed here is notably low-cost, requiring merely basic search and scanning abilities. The SlowMist security team cautions that anyone who has inadvertently used Replit to create a wallet should promptly move their assets and erase all sensitive files. Additionally, users must exercise extreme caution when utilizing wallets or mnemonic phrases generated on unfamiliar web platforms. The SlowMist team recommends selecting wallet services that are reputable and have undergone rigorous security audits to minimize the risk of data breaches.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.
