On March 27th of this year, the Jaxx Liberty wallet application was retired and users were redirected to other wallet applications, including Edge, as an alternative. To aid in the migration process, we published a blog post and how-to support article that instructed users to extract their master private key from Jaxx and, per best practices, write it down and type it into Edge via an import process.
Approximately one month after the announcement, we started to get support inquiries of users with funds drained from their wallets. All reports came from previous Jaxx users and after extensive investigation, we determined that a number of users had their funds stolen before their Edge account was even created. Furthermore, extensive interviews of affected users and log file analysis determined that many of them had executed poor key management and used their clipboard or photo library to copy their private key and transfer it from Jaxx to Edge. This opened up the possibility of clipboard hijacking as well as inadvertent upload of their unencrypted private keys to photo library backup services.
Our team reached out to another wallet service that received an influx of prior Jaxx users, and they confirmed that they had also experienced Jaxx users reporting stolen funds in the process of exporting and importing their private keys.
Several data points strongly suggest that there is no known security issue in Edge or other wallet applications receiving imported keys from Jaxx:
- A number of users lost funds before their Edge account was created
- A number of users exercised poor key management hygiene
- Since the retirement of Jaxx Liberty, there have been zero reports of compromised funds that were not due to importing of Jaxx private keys
- A third party wallet service confirmed that users reported stolen funds from the import process of Jaxx private keys
While we have not determined the exact cause of compromised funds in all cases, to help mitigate future issues, we have altered our recommended migration procedure to request that users NOT extract their private key from Jaxx, but rather utilize their previously stored backup phrase and enter that into Edge directly. In addition, we have implemented a migration process in Edge that will easily sweep funds from an imported private key into newly created private keys that have never been exposed.
Since the birth of Edge, we have always felt that abstracting private key management is critical to the security of the majority of cryptocurrency users. Requiring users to manually backup their private key opens them up to a plethora of attack vectors and the recent influx of reports confirms our thesis. In addition, the process of exporting and importing private keys between wallets exacerbates the problem due to the desire to easily transport keys between applications. This motivates the use of digital methods such as clipboards, email, messaging, photos, or even a combination of the above which put private keys at great risk of compromise.
While we are very disappointed to hear of any loss of cryptocurrency, Edge stands firm that the Edge app is not at fault for any loss of funds from these reports. Our biggest lesson learned is the importance of proper handling of private keys and how users can easily stumble out of best practices and into the common pitfalls. While the inner circle of crypto enthusiasts continuously reiterates best practices of key management, millions of users are distant from this inner circle and rarely see or hear the pitfalls they should be aware of. As an industry, we have a long road ahead to provide tools and services that strongly mitigate against common user error while still retaining the core advantages of self-custody.