On Feb 20, 2023, Edge senior staff were made aware of a security incident whereby a user had experienced an unauthorized transaction which swept the full amount of their Bitcoin wallet. All other funds on their Edge account were intact. Since Edge uses individual master private keys for each wallet, we determined that the user’s account was not logged into by an attacker, but that only the private key of their Bitcoin wallet was compromised.
After further investigation, we determined that the Edge application contained a vulnerability that would leak private keys once a user performs not one, but both of the following actions:
- Enter one of the following options available from the “Buy” or “Sell” tabs in the bottom navigation bar: Bity, Wyre, Bitrefill, Ionia, Xanpool, LibertyX, Bitaccess, Bits of Gold, Banxa (bank transfer only, not credit card or Apple Pay). This action would log the unencrypted private key of the currently-selected wallet to the device’s disk.
- Used the “Upload Logs” feature in Edge, which would send logs to Edge servers. Logs would include the private key if the upload was done after the entry into one of the buy/sell options. The upload would need to occur shortly after visiting the buy/sell screen, as new log entries eventually push away old entries.
Based on visibility of keys on the Edge logs server, this vulnerability has compromised approximately 2000 private keys by sending them to Edge infrastructure. This amounts to less than 0.01% of the approximate total keys created on the Edge platform. In addition, a spot check of several dozen private keys show that many still have funds remaining. Through this, we ascertain that there has not been a wide sweeping compromise of Edge infrastructure which would have compromised a vast majority of funds on such keys.
Due to the narrow nature by which a user’s keys may have been compromised and the very little mention we’ve received from users with missing funds, currently amounting to low 5 figures in USD, we believe this incident has very limited scope and may be a targeted attack on the users affected. We are continuing investigation including deep device forensics to determine if malware may have had access to the unencrypted private keys on disk.
At this time, we urge all Edge users to update to the latest version of Edge (v3.3.1) which is available in the Google Play Store, Apple App Store, and via direct download on our website. This release fixes all known vulnerabilities involving wallet private keys and immediately deletes all prior logs off disk. To secure funds, we urge users to create new wallets – a new account does not need to be created, just a new wallet inside of the account – and transfer funds from old wallets to newly created wallets. New wallets in an existing account will not have the exposure to the vulnerabilities involving its private key.
Steps You Should Take
*** Users can see a step-by-step guide on how to transfer funds here. ***
New development has immediately started to make the transfer of funds to new keys a simple process in just a few clicks. We are expediting this process and hope to have a release available within the week. In addition, we intend to push a release that will alert users if their wallet keys have been uploaded to Edge log servers (based on the matching public address).
Who Was Not Affected
Users who never visited any of the buy/sell options (Bity, Wyre, Bitrefill, Ionia, Xanpool, LibertyX, Bitaccess, Bits of Gold, and Banxa (bank transfer only)) would not be exposed to this vulnerability at all. Users who only used the Visa/MasterCard/Apple Pay/Google Pay buy/sell options, which auto routes to Banxa, Simplex, or Moonpay (and does not redirect to a web browser for these payment methods) were unaffected. This Visa/MasterCard/Apple Pay/Google Pay option was available as of version 2.19.0 on Aug 11, 2022. Partners only utilizing the Edge SDK are also not impacted by this vulnerability.
The Edge team invoked our critical vulnerability response protocol with the following timeline:
2/20 1:30pm PT: Head of QA is made aware of a security incident of lost funds. Preliminary investigation ensued including checking access logs of the user’s account.
2/20 2:10pm PT: The Edge user is thoroughly interviewed regarding their key management practices including importing or exporting of private keys, sharing of account access, jailbreaking of phone or installation of unauthorized apps. No immediate issues were found.
2/20 2:15pm PT: CEO, Head of QA, Head of Support, and Lead Engineer immediately began forensics on sensitive Edge infrastructure including login servers and logs servers. The user’s mobile device was immediately shut down and disconnected from the network for future forensics.
2/20 2:30pm PT: Upon discovery that the Edge user had used the “Upload Logs” feature in the past 2 months, forensics began on the Edge logs server which houses the uploaded logs.
2/20 2:40pm PT: Log files on the Edge logs server were found to contain private keys for the Edge user’s stolen funds.
2/20 2:44pm PT: Edge Chief Architect was contacted immediately and brought in to examine code to find a vulnerability that could have leaked private keys.
2/20 2:50pm PT: Edge logs servers are immediately shut down preventing access to any compromised private keys by any staff or malicious attacker.
2/20 3:05pm PT: Edge Chief Architect discovers the vulnerability in improper logging routines that could write unencrypted private keys on disk in some circumstances. A future user action of using Upload Logs could therefore leak private keys to Edge servers. Due to the critical nature of this vulnerability, per standard critical vulnerability response, Edge staff determines that an immediate patch is necessary to delete any unencrypted private keys on disk before malicious actors are made aware of their existence. The Edge engineering team is immediately tasked with implementing a patch release. Per our open source and transparency ethos, technical details of the vulnerability and timeline are provided below.
2/20 4:00pm PT: Log servers are cloned off-line and closely examined for any malicious access.
2/20 5:05pm PT: The initial pull request is made to a private repo to fix the logging vulnerability.
2/20 9:21pm PT: After code review, the pull request is merged and QA begins testing the release.
2/20 10:42pm PT: The Edge app is uploaded for review to the Google Play and iOS App Stores. It is also uploaded to our website for direct download.
2/21 1:30am PT: A scan of Edge logs servers for compromised private keys is completed to assess scale of impact to user base.
2/21 6:53am PT: Apple App Store approves patch release and it is propagated to users worldwide. Note that propagation can take upwards of 24 hours.
2/21 5:02pm PT: Exact timeline details of code vulnerability in edge-react-gui are determined and documented.
2/22 10:45am PT: Edge partners utilizing a fork of the Edge app are notified of the vulnerability.
2/22 2:00 PT: Public Announcement of vulnerability is made.
Code Vulnerability Timeline Details
# From edge-react-gui d9399f888384498f21bbd4fbbf69089dd50e3b9b - committed May 22, 2019 - released in v1.7.6 Edge begins logging EdgeProvider traffic to disk which includes the wallet with keys if the user performs a spend while in the partner WebView scene. # From edge-react-gui 5fda91052954081a6231ac21ece0ab6aa8bae5cb - committed Jul 8, 2022 - released in v2.18.0 Visiting a partner inside an EdgeProvider WebView logs the currently-selected wallet object to disk, including private keys. # From edge-react-gui c7618cc13786df79110e4881634694132a27a8a4 - committed Feb 20, 2023 - release in v3.3.1 Fixes all above issues
For 8 years, Edge has prided itself on a stellar security record, securing millions in user funds with the ease that allows for mass adoption of true cryptocurrency self-custody. This failure was not up to the standard Edge users expect. Edge is using this experience to harden the platform and continue our mission: Empower users worldwide to interact with the crypto economy by making self-custody intuitive and accessible. We thank you for your continued support. Please reach out if you have any questions or concerns.
CEO / Co-founder