Algorand CTO John Alan Woods has shared an update on the thefts reported on MyAlgo wallets in the past week.
According to Woods, the exploit, which impacted over 25 accounts, remains under investigation. However, while the investigation is ongoing, he advises MyAlgo hot wallet users to consider rekeying to a ledger or other third-party wallet as a precautionary measure.
1/n Update on the exploit impacting ~25 accounts: from our investigation, this is not the result of an underlying issue with the Algorand protocol or SDK.— John Woods (@JohnAlanWoods) February 27, 2023
Rekeying is a feature of the Algorand blockchain that is akin to "changing passwords."
The Algorand CTO stressed that the exploit did not result from an underlying issue with the Algorand protocol or SDK. He said that once the investigation is concluded, he will share an explainer video covering how the exploit happened and how users can safeguard themselves in the future.
Impact of Feb. 20 Algorand theft
The Algorand-focused developer collective's Twitter account, D13.co, shared a preliminary advisory report on the Feb. 20 Algorand thefts.
Preliminary report; our views on the Algorand 20-02-2023 thefts.— D13.co (@d13_co) February 28, 2023
We believe there is reasonable doubt about the human error interpretation, and enough cause for concern to follow @myalgo_ recommendation to move funds.
We discuss possibilities.
According to the report, "there is a non-zero chance of a MyAlgo wallet software compromise leading to the theft of at least $7.2 million worth of assets on the Algorand blockchain. We recommend rekeying MyAlgo accounts to fresh private keys or simply moving funds where possible."
A total of 17 addresses were confirmed as compromised, with at least $7.2 million stolen in ALGO, USDC and other assets. A further $1.4 million was suspected to have been compromised on four more addresses.
It adds that of the 13 addresses identified on the day of the attacks as "suspicious/highly suspicious," 12 have now been confirmed, and a further five new addresses have been confirmed so far by impacted users coming forward.
Meanwhile, four more addresses were identified by Rand Labs, bringing the total affected accounts to 25.