Edge Wallet Alert: 2000 Private Keys Leaked; Huge Amount Loss

On February 20, 2023, Edge senior staff got notified of private keys security incident involving a user who had experienced an unauthorized transaction that emptied their entire Bitcoin wallet. An investigation discovered that the private key of the user’s Bitcoin wallet compromised due to a vulnerability in the Edge application.

Further investigation revealed that the vulnerability would only leak private keys if a user performed both of the following actions:

• Selected a buying or selling option from the bottom navigation bar Buy or Sell tabs to store the wallet’s unencrypted private key to the device’s disc.
• Used the “Upload Logs” feature in Edge, which would send logs to Edge servers, including the private key, if the upload did after entering one of the buy/sell options.

Due to this vulnerability, about 2000 private keys got compromised, less than 0.01% of all the keys generated on the Edge platform. A spot check of several dozen private keys revealed that many still had funds. Therefore, it appears that there has not been a widespread compromise of Edge infrastructure that would have affected the majority of funds on such keys.

Given the narrow nature of how a user’s keys may compromise and the limited reports received from users with missing funds, currently amounting to low five figures in USD, this incident has a very limited scope. It may have been a targeted attack on the affected users. However, Edge continues investigating the incident, including deep device forensics, to determine if malware may have accessed the unencrypted private keys on disk.

In response to this incident, Edge strongly advises all users to update to the most recent version of Edge (v3.3.1), accessible via direct download on their website, the Google Play Store, and the Apple App Store. This release fixes all known vulnerabilities involving private wallet keys and deletes all prior logs off the disk.

To secure funds, users should create new wallets within their current accounts and move money from their old wallets to their new ones.

Edge Took Immediate Action Seized to transfer funds 

A new development is underway to make the transfer of funds to new keys a simple process in just a few clicks. Moreover, Edge intends to make available a version that will notify users if their wallet keys upload to Edge log servers based on the matching public address.

While the security incident is severe, it has a limited scope, and Edge is taking swift action to address the issue and protect its users. By updating to the latest version of Edge and creating new wallets, users can take steps to secure their funds and prevent any further potential compromises.