Summary: Users of Mina JavaScript client-sdk should upgrade to the 1.0.1 release of the client-sdk urgently. Out of an abundance of caution, users who generated private keys using the getKeys() function of the prior releases of the client-sdk should also immediately move any funds to an address that was generated by an alternative method, or by the new 1.0.1 release.
o1Labs – our ecosystem partner – recently discovered a vulnerability in the Mina JavaScript client-sdk where private key generation in some situations depends on poor entropy. This means that private keys generated under these situations are vulnerable to attacks by malicious actors, and with low probability, funds can be stolen. This has been patched and fixed in the 1.0.1 release of the client-sdk.
Developers and users who use the client-sdk should immediately upgrade to the new 1.0.1 release to fix this vulnerability. Users who have used either the client-sdk directly, or a product that depends on the client-sdk, should also immediately move their funds to an address that was generated by an alternative method, or the new 1.0.1 release.
About Mina Protocol
Mina is the world’s lightest blockchain, powered by participants. Rather than apply brute computing force, Mina uses advanced cryptography and recursive zk-SNARKs to design an entire blockchain that is about 22kb, the size of a couple of tweets. It is the first layer-1 to enable efficient implementation and easy programmability of zero knowledge smart contracts (zkApps). With its unique privacy features and ability to connect to any website, Mina is building a private gateway between the real world and crypto—and the secure, democratic future we all deserve.