The company behind Ever Surf, a wallet for the Everscale blockchain ecosystem, is shutting down its web version after a vulnerability was discovered by Check Point researchers. The Ever Surf team confirmed that the vulnerability allowed attackers to access wallets.
Ever Surf is a cross-platform messenger, blockchain browser and crypto wallet for the Everscale blockchain network available on Google Play and Apple iOS Store.
It currently has nearly 670,000 users worldwide and said it has facilitated at least 31.6 million transactions.
The Ever Surf team posted a blog explaining the issue on Friday, writing that Check Point security researchers discovered the vulnerability and worked with them to fix it.
Checkpoint published its own report detailing the issue on Monday, writing that the vulnerability allowed attackers to “easily” decrypt private keys and seed phrases that are stored in a browser’s local storage, giving attackers full control of a victim’s wallets.
The Check Point report indicates that the decryption took only a few minutes and could be done with consumer hardware.
Everscale noted that the web version of Ever Surf was “an experimental solution” that was helpful in the early stages of platform development.
“Unfortunately, the web version no longer matches our vision of fast and secure applications. We planned to increase Surf’s security level and release a desktop version in Q1. As soon as we are done with a SURF token release, expanding the token swap exchange, adding a new payment provider, and integrating gift cards,” the company explained.
“But when we received an email from the Check Point Research team, we knew there was no time to lose. Check Point Research conducted its own independent research into the security status of the web version of Surf and discovered its weakness. We followed this report, checked everything and made sure that the vulnerability exists. Our web version cannot provide secure use of password-based KDF due to an inability to provide a unique salt such as a device ID for this platform. Simply put, this means that there is a theoretical way to access your wallet and the assets within it.
The company ended support for the web version of Surf and urged users to migrate to the desktop version.
They added that they don’t know how many people are using the web version, so they are posting information publicly to make sure no one’s funds are at risk.
“We won’t allow anyone to steal your funds, but it’s important to us that you don’t lose access to them yourself,” the company said.
Alexander Chailytko of Check Point Software added that Everscale is the technological successor to the TON network, which was developed by the Telegram team.
“At the same time, Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product. We were also curious to know how key protection is implemented in the most popular wallet for this blockchain. CPR’s proof-of-concept presents multiple attack vectors that can lead an attacker to obtain private keys and plaintext seed phrases, which can then be used to gain full control over the victim’s wallet,” said Chailytko said.
“Despite the fact that the vulnerability we found has been fixed in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications or general threats such as fraud, phishing.”