Summary: Users of Mina JavaScript client-sdk should upgrade to the 1.0.1 release of the client-sdk urgently. Out of an abundance of caution, users who generated private keys using the getKeys() function of the prior releases of the client-sdk should also immediately move any funds to an address that was generated by an alternative method, or by the new 1.0.1 release.
O(1) Labs – our ecosystem partner – recently discovered a vulnerability in the Mina JavaScript client-sdk where private key generation in some situations depends on poor entropy. This means that private keys generated under these situations are vulnerable to attacks by malicious actors, and with low probability, funds can be stolen. This has been patched and fixed in the 1.0.1 release of the client-sdk.
Developers and users who use the client-sdk should immediately upgrade to the new 1.0.1 release to fix this vulnerability. Users who have used either the client-sdk directly, or a product that depends on the client-sdk, should also immediately move their funds to an address that was generated by an alternative method, or the new 1.0.1 release.
