Wallet Registration on Replit Potentially Causes Mnemonic Phrase Exposure

The Atomicals ARC20 wallets deployed on the Replit platform are at risk of losing funds due to the exposure of sensitive information.

Money falling down out of a wallet
Some online tutorials for deploying Atomicals wallets on Replit may intentionally promote practices that facilitate wallet exploits.

Web3 security firm SlowMist cautions blockchain programmers about the risks associated with Replit, an AI-empowered platform for software development. The cybersecurity team and developers, who have experienced fund theft from wallets created for the Atomicals protocol through Replit, suspect that the Replit integrated development environment (IDE) could be the cause of the recent exploits.

Read also: Critical X Bug Enables Account Takeover with a Single Click

The Atomicals protocol is an application layer protocol designed to work with UTXO (unspent transaction output) blockchains, including Bitcoin, Dogecoin, and Litecoin. Its primary purpose is to streamline the embedding of data in transactions, facilitating the easy creation and management of digital objects.

The Atomicals’’ team provides a tool called atomicals-js, accessible on GitHub. This tool comprises a command-line interface and a JavaScript library to aid users in interacting with the Atomicals protocol. Notably, Replit, with its support for coding directly in browsers and rapid project startup, has become a widely used platform for deploying wallets with atomicals-js. Many educational resources specifically recommend Replit for the registration of ARC20 wallets.

Yet, the public nature of the Replit platform introduces a critical vulnerability, as it allows access to the deployed code for unauthorized parties. SlowMist explains, "When the atomicals-js project is deployed and run, it generates a file named wallet.json in the project directory," adding that "This file contains sensitive information such as generated mnemonic phrases, private keys, and addresses."

Read also: SlowMist’s Top DeFi Research: "The Basic Security Risks Are Severe"

SlowMist warns developers about the potential for effortless exploits targeting wallets deployed on Replit. The team underscores that Google Hacking techniques, which involve advanced search queries, are sufficient to "locate instances containing the wallet.json file."

atomicals-js file search
Source: SlowMist, Medium

While the SlowMist team does not explicitly state this in its comprehensive security threat overview, it references "deceptive articles luring users into unsafe practices" in a recent X post, suggesting that the proliferation of insecure development practices might be intentional rather than an oversight of vulnerabilities.

Some developers have already reported falling victim to malicious actors due to risky deployment practices supported by Replit. SlowMist provides details on a case identified by the MistTrack tool on September 23, where a victim conducted transactions totaling 98,000 ATOM to their newly created ARC20 wallet address. However, on September 24, the entire fund amount was transferred to a hacker's address.

According to victims in contact with SlowMist, the compromise of private keys or mnemonic phrases occurred during the process of copying and pasting on a webpage.

The cybersecurity team strongly advises Replit users holding funds in Atomicals wallets deployed through this platform to promptly transfer their money. SlowMist emphasizes the critical importance of avoiding the execution of code containing sensitive information, particularly concerning cryptocurrency wallets or private keys, on publicly accessible platforms. They also caution users to exercise care when selecting online tutorials for cryptocurrency-related tasks, especially those involving Replit functionality.

The Web3 security team stresses the importance of "selecting wallet services that are reputable and have undergone rigorous security audits to minimize the risk of data breaches."