Bitpay, one of the oldest fiat-cryptocurrency gateways in the industry, has alerted users that part of the code used by its Android wallet app, built on the Copay open-source wallet software, was found to be vulnerable to an exploit meant to steal users’ private keys.
The company say that their wallet app was not exposed to the malicious code - however, the Copay core software seems to have been vulnerable. Several cryptoasset wallets are built on top of this software, as well as a native Copay version.
Developers have already released a patch for the Copay vulnerability, announced on social media for both Bitpay and Copay, and it is available for download.
Very critically, however, users should not load a new wallet on the new version from their seed phrases as these may be compromised used.
Users should not attempt to move funds to new wallets by importing affected wallets' twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.
The statement also informed that before updating, users running the older version should not run the app at all.