Late last week, it was discovered that the independently developed MyDashWallet was compromised by a hacker that was able to send users’ private keys to an external server, but once the vulnerability was revealed, Dash Core Group members assisted the developer in correcting the issue.
Today it was discovered that https://t.co/PozDtfUaf3 was compromised between May 13th-July 12th. Anyone using mydashwallet during that time should assume their private keys are known by the hacker and immediately move balances out of that wallet. Details: https://t.co/yKRopU0HgJ
— DASH (@Dashpay) July 12, 2019
The hack was possible due to its reliance on the latest version of another code base, which was compromised. Out of an abundance of caution, anyone that used MyDashWallet between May 13 2019 and June 12 2019 should assume that their private keys are know and move their funds immediately.
“In April 2018, MyDashWallet was modified to load an external script from the script hosting website GreasyFork. While not abnormal, this is not considered a secure practice, particularly since the reference loaded the latest version of the script, rather than a specific version. On May 13 2019, a hacker compromised the GreasyFork account of the original author of the script, Jixun Moe, and added code to send users’ private keys to an external server. This change was detected on July 12 2019 when the hacker used the private keys to move user funds. MyDashWallet is not maintained by Dash Core Group, and at no time was the Dash network itself compromised.”
As Philipp Engelhorn, assisted by Leon White, posted in the Dash forum, “[t]he insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties”. In the future, he emphasized that “all code handling private keys should be reviewed thoroughly before being trusted with user funds” and that “the use of local keystore files should be discouraged in favour of hardware wallets, similar to best practices implemented by MyEtherWallet”.
How Dash Core Group warns users and assists in mitigating the situation
Firstly, Dash Core Group helps mitigate the risk of these vulnerabilities for its own code by ensuring that “[a]ll software released by Dash Core Group is both open source and subjected to stringent quality testing prior to release”. Third party vulnerabilities are a risk with open source software since anyone is free to use the code and implement their own variations and applications. However, open source software has the advantage of these vulnerabilities able to be found by private individuals rather than private code that could be compromised, but never known or made public.
Secondly, Dash Core Group “is assisting the developer to resolve this issue and collecting relevant information to provide to law enforcement”, according to Michael Seitz in the Dash Forum. This is a positive sign that even though the vulnerability is not related to them nor the Dash blockchain, they are still ensuring that Dash-related apps and community members stay safe by helping to resolve issues that arise. This is also an advantage that is said as a reason that third party exchanges and vendors like integrating Dash; they have Dash Core Group as physical people to fall back on and ask questions.
Decentralized systems require a high degree of user awareness
Cryptocurrency was created to be open source and decentralized with no single person nor group in charge. While this does help the permissionless accessibility of the network, it also allows third-party products to be developed and used, sometimes without proper rigorous testing. Any user can use trusted and solid software, however they can also fall prey to poorly-constructed services or even outright scams or other malicious apps. Because of this, users seeking the decentralization and associated benefits of using cryptocurrency should also take full responsibility for the risks associated with using potentially untested systems, and take additional precautions to protect their safety and funds.