PSA: Many Insecure Banano Vault Seeds Have Been Compromised
Jan 25, 2024 • 5 min read
TLDR:
After the Banano Vault web-wallet was shut down, the Banano team was helping various users recover/transfer their funds from Vault to the TheBananoStand web-wallet which is actively maintained.
- It was discovered that multiple users had used insecure seeds for Vault — e.g. using a ban address as the seed, which is completely insecure and exploitable by anyone to gain full access to the wallet. Vault did not have sufficient validation checks to prevent this (while other Banano wallets such as Kalium and TheBananoStand do).
- Seeds generated by Vault are still considered safe and can be used in other wallets. The issue only affects those who imported an insecure seed into Vault.
- The Banano team identified it was a much larger issue, and decided to secure as much Banano as possible from these wallets before someone else took the Banano for profit. Multiple unknown actors identified the same issue around the same time and also began sweeping funds from those insecure wallets.
- The Banano team recovered 800k+ Banano from over 500 accounts, while the unknown actors recovered 240k+ Banano from over 400 accounts.
- For those who have used insecure seeds (in whatever form) for their wallets — please immediately move funds to a new wallet. Kalium and TheBananoStand have more stringent checks for the seed.
- If your funds have been swept, please check where they have been sent.
If the funds were sent to the holding wallet from the Banano team (details below), please reach out. If prior ownership can be proven, we will attempt to return funds where possible. - Reminder to make sure to use secure passwords/seeds, etc., and to keep to security best practices for your crypto!
End of TLDR, here’s all the details
Basics of account generation:
A seed is created as a securely randomly generated 32 byte value in the form of a 64 character uppercase hex string.
Private Keys are 32 byte value in the form of an uppercase hex string derived deterministically from the seed and an integer index value.
A Public key is a 32 byte value in the form of a hex string derived from the Private Key.
An Address is “ban_” followed by the Public Key encoded in base32 format (52 characters) followed by a hash of the Public Key (8 characters)
Please read more about wallet generation in the Nano Docs here.
What happened:
Vault’s only seed validity check was that it was 64 characters long, it did not verify the format of the seed was in hex formatting. By coincidence, the length of an Address, Public Key and Private Key and Transaction Hashes are all 64 characters long.
As a result, it was identified that some users had been using Banano addresses as a seed in Vault. This was discovered on Jan 8, 2024 after Vault had been shut down while trying to help some users recover their seeds in a public channel on the Banano Discord server. During the triaging session, no seeds were shared. After multiple instances of helping people recover their seeds, we noticed the recurring issue that an address had been imported as a seed and not the seed securely generated by Vault. We made the decision to remove the discussion around addresses as seeds before a malicious user saw what users were doing and take advantage.
As addresses are considered public information and there are ways to identify every address in use, as a precaution the team decided to try and secure funds stored in wallets using an address as the seed before someone else did. We input all Banano addresses into the seed generation function used by Vault to generate the wallets used and sent the funds to a central address to return the funds to users once verification could take place, hoping to do this before someone else did and the seed could still be considered secure for verification purposes. We managed to recover nearly 900,000 Banano from over 500 accounts using insecure seeds which seemed like a good result. Many of the accounts had also never been opened, likely due to them being invalid seeds and never accessed again and considered lost.
Unfortunately, while we were processing the accounts (which takes some time), it was discovered someone else had also begun doing the same thing not long after the discussion on the Discord server. An unknown user took 240,000 Banano from over 400 accounts and 8 Nano from 18 accounts. This user has since sold the Nano but is still holding the Banano and so we hope they may return these coins. A second unknown user has also been identified taking Banano from accounts with insecure seeds taking a small amount of Banano from 24 accounts.
What next?
TheBananoStand and Kalium perform proper input validation on seeds and so users should not be able to input something as insecure as an address as a seed. Please migrate to those wallets. If you did not back up your seed from Vault (and did not clear your browser cache), there is now a recovery system in place to retrieve it from local storage at https://vault.banano.cc. Nano Vault was also affected by this however Nault patched this as part of this issue on Github back in 2021.
Banano addresses are just one of many insecure seeds that could have been used. If you think you may have used something else that’s insecure such as a transaction hash or random letters totaling 64 characters, then please move your funds immediately to a new wallet. We have observed some users still sending folding rewards or faucet rewards to compromised addresses.
If you are affected:
If your account is one of the affected, please check what address your funds were sent to. The wallet created by the team as a holding place is ban_1rec1ag4gcf6uxeno9xi8hipjh3ictt6wk1pu4hk5wh5836gfxnd75dfzmsm and if ownership can be proven (please reach out via discord, email to help(at)banano.cc, or the contact form on banano.cc) we will return the funds. As the insecure seed is now considered compromised this cannot be used as verification. We will be looking for things such as tipbot links or exchange withdrawal evidence.
To the owners of the accounts ban_11biatz4g9t4d1i3tbtyfyt8kg8518krzojg9g3xxzpqtg9dfnzskcwwaog4 and ban_3ay7krtq3598co3wobzo8jus7wku5gnzmh571yx37mbh6a4jduffzhwbmhm6, please send the Banano to ban_1rec1ag4gcf6uxeno9xi8hipjh3ictt6wk1pu4hk5wh5836gfxnd75dfzmsm to avoid further investigation into you.
From the Banano Team, we are sincerely sorry for losses of funds. We will attempt to return funds where possible.
Reminder to make sure to use secure passwords / seeds, etc. and to keep to security best practices for your crypto!
What the Fork is Banano?
Banano is a cryptocurrency powered by DAG technology disrupting the meme economy. Banano has feeless and near-instant transactions, free & fair distribution, a highly active community, and active technical development!
Learn more at banano.cc. Find help getting started at banano.how. Current current BANANO price and market data at Coingecko or Coinmarketcap. All current trading pairs and exchanges here.
Join the Banano Republic!
Official Website | Yellowpaper | Wiki
Join our social channels for updates & giveaways:
Discord | Twitter | Reddit | Youtube | Telegram | Instagram | Facebook | TikTok | Medium | Publish0x | Github | BitcoinTalk