Everscale blockchain wallet shutters web version after vulnerability found

The company behind Ever Surf, a wallet for the Everscale blockchain ecosystem, is shuttering its web version after a vulnerability was found by Check Point researchers. The Ever Surf team confirmed that the vulnerability allowed attackers to gain access to wallets.

Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network available on Google Play and Apple iOS Store. 

It currently has nearly 670,000 users around the world and said it has facilitated at least 31.6 million transactions. 

The Ever Surf team released a blog explaining the issue on Friday, writing that security researchers with Check Point discovered the vulnerability and worked with them to resolve it. 

Check Point published its own report detailing the issue on Monday, writing that the vulnerability allowed attackers to “easily” decrypt the private keys and seed phrases that are stored in a browser’s local storage, giving attackers full control of a victim’s wallets.

Check Point’s report said the decryption only took a few minutes and could be done with consumer-grade hardware.

Everscale noted that the web version of Ever Surf was “an experimental solution” that was helpful in the initial stages of the platform’s development.

“Unfortunately, now the web version no longer meets our views of fast and secure applications. We planned to increase the security level of Surf and launch a desktop version in the first quarter. As soon as we finish with a SURF token release, developing the token swap exchange, adding a new payment provider and integrating gift cards,” the company explained. 

“But when we received an email from the Check Point Research team, we understood there is no time to lose. Check Point Research conducted their own independent research about the security status of the Surf web version and found out its weakness. We followed this report, checked everything and ensured that the vulnerability exists. Our web version cannot provide a secure use of password-based KDF because of an inability to provide a unique salt such as device ID for that platform. In simple terms, that means there is a theoretical way to get access to your wallet and assets on it.”

The company has ended support for the Surf web version and urged users to migrate to the desktop version. 

They added that they don’t know how many people use the web version so they are releasing information publicly to make sure no one’s funds are at risk.

“We will allow no one to steal your funds, but it is important to us you do not lose access to them yourself,” the company said. 

Check Point Software’s Alexander Chailytko added that Everscale is the technological successor of the TON network, which was developed by the Telegram team. 

“At the same time, Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product. We were also curious how key protection is implemented in the most popular wallet for this blockchain. CPR’s proof of concept presents several attack vectors that can lead to an attacker obtaining private keys and seed phrases in clear text, which can then be used to gain full control over the victim's wallet,” Chailytko said. 

“Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing.”