The firm demonstrated in a video that it exploited the lack of encryption between the hardware wallet's CPU and the secure element by using a field programmable gate array that was able to intercept communications between the processor and the secure element, which holds the device's seed phrase.
“The FPGA is a high speed processor also known as a field programmable gate array, allowing us to iterate through different algorithms, bypass the wallet’s security and extract the mnemonics,” Unciphered said.
OneKey acknowledged the vulnerability in a statement and said it had updated the security patch.
"No one was affected," the company said, emphasizing that a potential attack, as demonstrated by Unciphered, cannot be exploited remotely and would require both the crypto wallet of a user and specialized FPGA equipment.
OneKey said it paid Unciphered a bounty for the disclosure.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.