We have published an updated version of the ONE wallet chrome extension (version 1.0.9). This version has been reviewed and audited by our security partner, PeckShield. The audit report is being done in two phases, the first phase focuses on the security aspects of the wallet. The first phase is now complete and its report can be found here. The second phase will include a full write up and will be published in the next two weeks.

Following are the fixes and additions from the previous version (1.0.7):

Security

* Tab response hijacking protection

* Safe hostname detection

  • We detect the safe hostname enabling users to sign only one transaction at a time. This prevents hijacking of transactions.

* Private data is unreachable in page’s javascript runtime

  • All user info (private key, password, pin) is encrypted with PBKDF algorithm. It is not possible to brute-force attack the password, and third-party websites can’t access the extension’s storage directly.

Features

* Displaying suggested human-readable method with input arguments when signing a data tx

  • We decoded the input data to a human-readable method (like etherscan.io) so that users can verify that they are signing the correct transaction.
You can continue to use the ONE wallet for storing and transacting your ONE & other Harmony assets.

Update on the ONE wallet exploit incident on 11/18/2020

We were able to identify and work with the hacker to recover the lost funds. As a token of goodwill, the foundation issued a security bounty to the hacker. The foundation has also launched a security bounty fund to promote open development & testing and pre-empt security vulnerabilities and attack vectors for our infrastructure and tools. Feel free to reach out at security@harmony.one.

We were also fortunate to work together with the affected users in getting vital information about the incident. We have already refunded the hacked funds to the known affected users.

We thank our community and security partners for their support.