Pontem Wallet v.2.4.7 update bug: an explainer

With this post we want to clarify any issues with the latest extension upgrade that prompted a permission bug in Pontem Wallet the other day. To be clear, there was no vulnerability of any kind: the permissions were needed for important new features. We’ve already fixed the issue in v.2.4.71.

Your funds are safe

One of the new features in v.2.4.7 was a paste button that made importing a wallet easier. It required the permission for the wallet to read the contents of the clipboard in some situations. It absolutely didn’t mean that someone could spy on you using the wallet and steal your seed phrase, for example. In fact, there is no way for any malicious third party to exploit this permission.

If you have accepted the new permissions and updated Pontem Wallet, don’t worry: your assets are completely safe. There is no vulnerability of any sort in v.2.4.7 or v.2.4.71.

If you panicked and deleted the extension: you can install v.2.4.71 safely right now.

The read permission was required for a new security feature

Adding new features to the wallet occasionally requires additional permissions, and that’s completely normal. However, the way some permissions are defined in the Chrome Store can make them look dangerous, even if they are actually completely innocuous.

That’s exactly what happened with the second new permission: the ability to read data in your browser. We integrated a phishing detection feature by ChainPatrol – a major provider of Web3 security solutions. This feature helps prevent users from signing fraudulent transactions: for example, when you unknowingly connect to a fake airdrop site that can drain assets from your wallet. ChainPatrol maintains an ever-growing blocklist of scam sites and works with MetaMask, Coinbase Wallet, etc.

MetaMask requires the same permissions by default

We’ve mentioned that MetaMask also includes security features by ChainPatrol. It also requires the same permission to read the data on websites and on the clipboard. The difference is that you give this permission to MetaMask by default when you first install it, so it isn’t displayed in any prominent way.

By the way, new users who installed Pontem Wallet 2.4.7 from scratch didn’t see any additional warning or request for permissions, either.

‍

A new version is already live

We quickly realized that the new prompt is inconvenient to users and causes uninstalls. After discussion, we decided to roll back the new features and re-publish the wallet update as v.2.4.71. It’s already live in the Chrome Store - download it here.

We always make sure to require only the bare minimum permissions for the wallet to work. You can be sure that Pontem always follows the strictest security standards. It’s for a good reason that Pontem Wallet is the only triple-audited wallet for Aptos, after all!

‍Still have some security concerns left? Share them with Pontem on Telegram, Twitter, or Discord – and our development and QA teams will happily answer.