New Nano mobile wallet pulled within hours due to security vulnerabilities.
Yesterday the Nano Wallet Company launched the long awaited new mobile wallet for the Nano Cryptocurrency. The wallets, available for iOS, Android, Mac Windows and Linux, had apparently been “in the works since last year.” Within hours the Android version was pulled due to security concerns.
The Nano Wallet Company is “a separate entity, unconnected to the Nano Foundation,” though there “is some overlap in those working for both companies.” It is difficult to identify everyone who is involved in both organisations as the Nano Wallet Company website does not name its team. One Nano Foundation member who is involved in the wallet project is developer Zack Shapiro, who announced his pre-launch excitement on Twitter.
— Zack Shapiro (@ZackShapiro) June 21, 2018
However, things did not go according to plan.
“Immediately move your funds”
Shortly after release Troy Retzer, Nano’s chief of Communications & Public Relations, warned early adopters of the Android version to “immediately move your funds to another wallet derived from a different seed” and promised that the team would “have a patch shortly.”
The issue seems to be that the ‘random’ numbers used to create seeds in the Android version were not quite as random as they could be. Shapiro promised a “full run-down once the patch is out,” but said that there was good news: the problem “does not appear to be exploitable.”
Within hours a new version had been released with a temporary fix and version 1.0.2 is expected soon. Some community members congratulated the Nano team on its transparency and quick response to the issue, though others felt it was an unforgivably unprofessional.
Shapiro takes responsibility for the error, saying that it was his “fault for being afraid to open source earlier.”
When asked if the code had been subject to a full review Shapiro replied that the review process had been optional, and not fulfilled in this case.
He added that the team were aware of their responsibility in looking after people’s funds, and that out of this mistake would come improvements to the company’s work processes and quality assurance.
Image From Shutterstock