Bitpay and Copay Wallets’ Private Keys at Risk

Colin Muller

Bitpay, one of the oldest fiat-cryptocurrency gateways in the industry, has alerted users that part of the code used by its Android wallet app, built on the Copay open-source wallet software, was found to be vulnerable to an exploit meant to steal users’ private keys.

The company say that their wallet app was not exposed to the malicious code - however, the Copay core software seems to have been vulnerable. Several cryptoasset wallets are built on top of this software, as well as a native Copay version.

Developers have already released a patch for the Copay vulnerability, announced on social media for both Bitpay and Copay, and it is available for download.

Very critically, however, users should not load a new wallet on the new version from their seed phrases as these may be compromised used.

Users should not attempt to move funds to new wallets by importing affected wallets' twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.

Bitpay official statement

The statement also informed that before updating, users running the older version should not run the app at all.

What Happened?

An explanation of the events as available on Copay’s github page, where an issue was opened yesterday and is already closed and resolved now, and also on ZDnet.

A very popular JavaScript code library called Event-Stream was handed-off by the developer maintaining it because of, ZDnet report, “lack of time and interest.” In a devilish twist, the new developer that the original one willingly gave the project to apparently had ill intentions, and hid malicious code deep in the library - and not all versions of the library - in order to later trigger it and compromise cryptocurrency wallets.

The JavaScript team using Event-Stream has shut down access to its use, but the code does remain in the wild. Taking the above steps, however, should keep crypto users in the clear.