Algorand blasted over inaction on ongoing wallet drain hack
Algorand Foundation responds to wallet hack, urging users to switch to more secure wallet options.
ZachXBT blasted Algorand’s failure to “acknowledge” an ongoing wallet drain hack.
The self-described “on-chain sleuth” said the Algrorand users had lost millions of dollars in the attack. Yet the project is continuing to drag its feet in helping those affected.
“How about you clowns actually acknowledge the on-going attack stealing millions from community members and assist them.“
Mysterious wallet drain
On Feb. 27, wallet providers MyAlgo posted a critical advisory recommending all users withdraw funds from Mnemonic wallets stored in MyAlgo.
The post acknowledged “recent hacks” and stated the attack’s root cause is still unknown.
“The attacks happened over one week ago, and no other movements have taken place since then.“
Digging into the matter, ZachXBT suspected hackers had taken over $9.2 million, comprised chiefly of 19.5 million ALGO and 3.5 million USDC, between Feb. 19 – 21.
More than a week after MyAlgo’s initial warning, ZachXBT condemned Algorand for its inaction in closing off the attacker’s off-ramping avenues. He added that the community neglect displayed is unacceptable.
“Why is it just people from the community and myself sharing the attackers addresses with exchanges meanwhile just silence from your embarrassment of an org.“
Collating tweets from frustrated Algorand holders, ZachXBT confirmed that wallet drains are still happening as of March 7.
Algorand Foundation responds
On March 6, the Algorand Foundation admitted the problem by summarizing the situation. It said that investigations showed no protocol or software development kit vulnerabilities.
“The Algorand protocol is robust and secure, and has not been compromised.“
Furthermore, the foundation has been in contact with MyAlgo and confirmed the wallet provider had not identified any vulnerabilities. But inquiries are still ongoing.
The Algorand Foundation distanced itself from MyAlgo, saying the wallet provider is a third party and has no direct association with the protocol or foundation.
Reiterating advice to withdraw funds from MyAlgo, the foundation added users may also “re-key” to another wallet provider or hardware wallet, with the PeraAlgo and Defly wallets recommended.
Algorand CTO John Woods posted a video on wallet security that focused on how crypto wallets work from a technical viewpoint. He advised users to store funds on a hardware wallet due to its superior protection over other wallet types.
“the key never leaves the hardware wallet; the hardware wallet doesn’t have the physical capability to give the key out via the USB interface.”
Woods said he and Algorand care when people are impacted by fraud and theft. He asked for patience while MyAlgo conducted its forensic analysis.