Q: What’s the issue?
First and foremost, this is a historical, low-risk bug caused by browsers. There are no known cases of lost funds.
The bug is not due to any issue with crypto wallets, but a flaw in browser caching behavior (e.g. how it stores information). Under some circumstances, it has been observed across the industry that a wallet’s 24-word mnemonic (a.k.a. seed phrase, recovery phrase) may be written to a file on disk in plaintext when typed into a browser. This file is eventually overwritten.
If an attacker was able to read this file while the mnemonic was still present on disk (e.g. if your browser was infected with malware), they could gain access to the seed phrase. Also, if this cached seed phrase were ever backed up (for instance, a full disk backup to iCloud), an attacker who was able to breach your cloud storage could discover the seed phrase.
Phishing, scams and social engineering remain the most prevalent forms of attack against crypto wallet users.
Q: If I'm using a hardware wallet, am I affected?
If you created your account on your hardware wallet, then you are unaffected by this security issue.
If you created an account on a web wallet, and the browser improperly cached (temporarily stored) your seed phrase on disk, and then you typed the seed phrase into a hardware wallet at a later date, you may be affected.
Q: I'm not a hardware wallet user. Am I affected by this bug?
It’s unlikely, but possible. There is a small risk that if you created an Avalanche web wallet before March 25, 2022 (when the web wallet was patched to fix the issue), the web browser may have insecurely cached (temporarily stored) your seed phrase on disk.
This information eventually gets overwritten. However, if you have any kind of disk backup system that would include these files–for instance, full disk backup to iCloud includes this temporary browser file–there is the possibility that your seed phrase could be included in this backup.
Q; What action should I take?
If you are using a hardware wallet, and you created your seed phrase on the hardware wallet, you do not need to take any action.
If you have previously used, and continue to use any browser-based wallet with a seed phrase to secure it, there is a low risk that your seed phrase could have been exposed if:
1) Malware was present on your device at the time of creation of the wallet.
2) You have backed up your entire device and an attacker managed to gain access to those backups by breaching the security of your cloud storage.
If you are storing large amounts of AVAX in the web wallet, it is recommended that you migrate to a hardware wallet solution, such as the Ledger Nano S. For smaller amounts you may decide to migrate to a hardware wallet, create a new web wallet account, or migrate to another hot wallet, such as the soon-to-be-released Avalanche Core browser extension or mobile wallet.
As always, please make sure to write down, and store your seed phrase in a safe physical location prior to any migration.
Q; Does this issue affect the upcoming Avalanche browser extension or mobile wallet?
No. The issue with how browsers handle this information has been fixed across the industry, and is not a persistent issue. This issue is not known to affect mobile apps.
Note: This FAQ is provided for informational purposes only, without representation, warranty or guarantee of any kind. The Avalanche Web Wallet is self-custodial in nature. You are therefore solely responsible for the safeguarding, retention and security of your seed phrase, private keys and password as well as any risk assessments, decisions, actions or omissions with respect to your seed phrase or use of the wallet, including whether and how to migrate to another wallet. Please review this Notice and conduct your own research to properly evaluate the risks and benefits of any decision.