Developers of the Beam Wallet have discovered and fixed a critical vulnerability in their software. The announcements of the discovery and the fix came simultaneously, on Twitter and on the startup’s official blog.
The Beam team posted detailed instructions for users to follow in order to update their wallets, and said that the vulnerability affects all previously released versions of the wallet.
They note, critically, that they themselves discovered the vulnerability, and that:
So far, we are not aware of Beam’s users being affected by this vulnerability. We are working with various providers in the ecosystem to upgrade their systems.
Beam (the company) is a payment solution provider most prominently serving the United Arab Emirates. The wallet software is notable for its implementation of Mimblewimble, a privacy protocol that can greatly enhance privacy without using a lot of memory for transactions.
Mimblewimble transactions, unlike with public blockchains, are not (necessarily) visible in a blockchain explorer. The protocol makes use of both “blinding factors” and CoinJoin, to bundle many transactions together and encrypt their contents to all but the senders and receivers of transactions. One of Beam’s objectives is to create the option for publically visible transactions.
Beam released its Mimblewimble mainnet only on January 3, stating at the time (correctly, it seems) that because “Beam is of innovative nature, this Version, even though developed in accordance to state of the art, is likely to: (i) contain bugs, defects, or errors.”
But the software is indeed state of the art, and is the first released implementation of the Mimblewimble idea and protocol. A competing Mimblewimble blockchain, called Grin, is set to launch its own mainnet in a few days. Grin even got a mention in a recent article in The Guardian on the subject of Bitcoin’s tenth birthday.