MyAlgo Warns Users to Withdraw Assets After $9M Exploit

  • The Algorand wallet provider has warned users to withdraw their assets from mnemonic wallets after an attacker targeted a group of “high-profile MyAlgo accounts”.
  • The root cause of the attacks remains unknown, with MyAlgo still investigating the issue, but reports have indicated that close to $9M were stolen so far.
hackers

Shutterstock

Users of MyAlgo, a crypto wallet provider for the Algorand blockchain, have been warned to withdraw their funds from mnemonic wallets amid an ongoing exploit, the platform said via Twitter on 27 February.

According to the announcement, over the past week there had been a targeted attack carried out against a group of “high-profile MyAlgo accounts”. All of the affected users were using mnemonic wallets — a wallet that typically uses between 12 and 24 words to generate a private key — with the key stored in their browsers. Individuals who use such MyAlgo wallets have been encouraged to “take precautionary measures” and move their assets to a third party wallet to protect their assets.

Although the cause of these attacks is still unknown, Algorand Foundation CTO John Woods claimed that the exploit was “not the result of an underlying issue with the Algorand protocol” or the software development kit (SDK), and noted that around 25 accounts have been affected by these attacks. MyAlgo is currently in communication with the victims of the attack in order to identify the root cause of the problem, with Woods noting that he would post an explanation video once the investigation has concluded.

While the extent of the exploit was not revealed by MyAlgo, self-proclaimed “on-chain sleuth” ZachXBT outlined on Twitter that it is suspected the attackers were able to steal around 19.5 million ALGO and 3.5 million USDC worth around $9 million. He also noted that centralized crypto exchange ChangeNow was able to freeze around $1.5 million worth of these tokens.

D13.co, an Algorand-focused developer collective, has also released a report on the incident, eliminating several possible exploit vectors such as malware and OS vulnerability. According to them, the “most probable” conclusions were that either users’ seed phrases were compromised through phishing attacks, or that the MyAlgo website was hacked.

Discussion
Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM
unlock

Shutterstock

Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Zunami Protocol’s Stablecoin Pools Exploited, Suffers $2.1M Loss
  • DeFi yield aggregator Zunami Protocol confirmed that a hacker had attacked its “zStables” pools on Curve Finance using a price manipulation exploit.
  • Security firm PeckShield has estimated that over $2.1 million was lost during the attack, while SlowMist said it had informed Zunami of the vulnerability two months ago.