Wallet Seed Security Update

Dear Klever Community,

We at Klever consider the security of our wallet software to be the cornerstone of our operations. Therefore, our unwavering commitment is to provide a secure environment for our users, and we actively collaborate with experts in the field to identify, address, and swiftly resolve any vulnerabilities that may arise. As part of our ongoing seed security update, we continually improve our systems to stay ahead of potential threats. However, despite our constant vigilance, vulnerabilities can occasionally emerge due to the constant and inevitable advance of malicious technology.

On July 12, 2023, we became aware that a subset of our users, amongst users of many other wallet providers, fell victim to a brute force attack, which exploited a flaw frailty in the implementation of a third-party library, trezor crypto ios 0.0.5, provided by another library located at https://github.com/trustwallet/trezor-crypto-ios/tree/0.0.5 used for IOS builds. Note that some legacy wallet providers used this library from June 2018 to December 2018. Regrettably, this vulnerability affected users who had used this specific library version to generate their wallet seeds.

It is important to emphasize that this particular vulnerability is exploitable only on version 0.0.5 or before, when the version 0.0.9 (https://github.com/trustwallet/trezor-crypto-ios/releases/tag/0.0.9) in October 2018 was released, the vulnerability was no longer exploitable. Nevertheless, this library version exposed users to risk if they had generated their wallet seeds before the 0.0.9 update.

This vulnerability was attributed to the use of a weak Pseudorandom Number Generator (PRNG) that generated 32 bytes for seed entropy. The PRNG seed, being a 32-bit integer, provided only 2^32 possibilities for the mnemonic created by the library. Consequently, this limited pool of mnemonics allowed the attackers to predict the seeds and gain access to the corresponding wallets, exploiting the current computing power available.

Recommended Actions for Users

1. Ensure you use the latest version of the Klever Wallet, which is secure and free from this vulnerability. It also now includes 24-word seed phrase generation as part of our seed security update.

2. We strongly advise creating a 24-word seed phrase with KleverSafe, a specific component of Klever because, it employs a true Random Number Generator (RNG) that utilizes physical phenomena to generate entropy, providing a reliable and highly secure source of randomness.

The implementation of KleverSafe involves an analog entropy source, which undergoes processing through a high-quality conditioning stage. Additionally, this includes an analog noise source, a digitization stage with post-processing, a conditioning algorithm, a health monitoring block, and two interfaces for interaction with the entropy source. As a recommended action for users, we advise regularly updating your KleverSafe settings and verifying the integrity of your seed phrases to ensure maximum security.

The combination of these features and processes ensures that the random numbers generated by KleverSafe are not only secure but also resistant to brute-force attacks or attempts at key guessing. So, by using physical phenomena and employing rigorous conditioning and monitoring stages, KleverSafe offers a robust and trustworthy source of randomness for cryptographic operations within the Klever ecosystem. Furthermore, as a recommend action for users, we advise regularly updating your KleverSafe settings and verifying the integrity of your seed phrases to ensure maximum security.

WHO IS NOT AFFECTED?

• Firstly, if you have only used the Klever mobile apps.

• Secondly, if your wallet was created with the release after 2019.

• Lastly, if you have only used Android mobile apps.

WHO IS AFFECTED?

• If you have used the compromised version of the library trezor crypto ios 0.0.5 on IOS devices to generate your wallet seed, your assets may be at risk.

• Check these GitHub public repositories for vulnerability due to the affected library trezor crypto ios 0.0.5:

Project

• https://github.com/trustwallet/trezor-crypto-ios

• https://github.com/trustwallet/TrustSDK-iOS

• https://github.com/NewHorizonLabs/TRX-Wallet

• https://github.com/pombredanne/pypi-data

• https://github.com/isabella232/CDN-Specs

• https://github.com/fazriz/trust-wallet-ios

• https://github.com/quancy-com/pods

• https://github.com/pblin/trust-wallet-ios

• https://github.com/AlphaWallet/latest-keystore-snapshot

• https://github.com/hewigovens/TrustSDK-iOS

• https://github.com/zla-io/zilla-core

• https://github.com/dAAAb/trust-wallet-ios

• https://github.com/KKwallet/KKWallet_iOS

• https://github.com/TronWallet/react-native-tron-sdk

• https://github.com/hewigovens/TrustSDK-iOS

• https://github.com/IOVBlockChain/trust-wallet-ios

• https://github.com/MyBitFoundation/MyBit-iOS.wallet

• https://github.com/MyEtherWallet/MEWconnect-iOS

• https://github.com/Foboz/MEWconnect-iOS

WHAT ACTIONS TO TAKE?

We recommend moving your funds to a newly created wallet from the Klever Ecosystem, namely Klever Wallet to prevent further losses. This step is crucial as part of our ongoing seed security update efforts.

If unsure about the security of your mnemonic, create a new one and migrate all your funds.

We are grateful for the continuous support of our community during this challenging time, and we appreciate the assistance of all the security researchers who have helped us identify and address these issues. As part of our seed security update, we remain dedicated to providing a secure environment for our users and will continue to enhance our security measures to prevent such incidents in the future.

Sincerely,

The Klever team