Skip to content
Home » MyAlgo $35M Exploit Escalating: Move or Rekey MyAlgo Accounts Immediately

MyAlgo $35M Exploit Escalating: Move or Rekey MyAlgo Accounts Immediately

If you have ever held any funds on popular algorand wallet MyAlgo you need to immediately move them off. Hundreds of users are getting their funds drain after a myalgo exploit was revealed. The exact cause is unknown, but at this point it seems likely that it was a software breach on myalgo’s end and that all accounts that have had their mnemonic exposed on myalgo are at risk. You must rekey or move funds off of all MyAlgo wallets. Fortunately, the process is very easy. Do not panic, and read on to determine if moving funds or rekeying is better for you.

We’ll talk through whether rekeying or moving to a new account is better for you, and how to protect yourself against exploits like this in the future.

Table of Contents

How do I make sure my ASAs/Algorand Tokens are safe?
Situation #1: You have mostly Algo/ASAs in your Wallet
Situation #2: You have a lot of tokens and NFTs. Active DeFi user.
What is Rekeying?
How to Protect Yourself from Future Algorand Wallet Exploits

How to Secure Your ASAs and Algorand Tokens on a MyAlgo Wallet

Securing Algorand Assets

There are a couple things you need to keep in mind. Whether you decide to rekey or move to a new account, you must take care to not lose the seed phrase of the new and old account. You will need both seed phrases to ensure complete access to your funds. Do not take any short cuts when it comes to your seed phrase/secret words.

You have four options:

1. Send funds to a new, non myalgo account.
2. Rekey using Pera Web or Defly
3. Rekey to a Ledger (safest for future exploits)
4. Sending $ALGO to a trusted exchange, like Coinbase.

Situation #1: You have mostly Algo or ASAs in your wallet, not a lot of NFTs.

Users in this situation (without hundreds of assets) will want to create a new wallet and send assets over. This is a viable option due to Algorand’s microcent transaction fees, it will cost very little to do this— though it becomes a pain to send things over one-by-one if you have a lot of assets, which is why this may not be the best choice for everyone.

In terms of what wallet is best as a myalgo replacement, there are a couple of good options.

The first is Defly Wallet, which is Algorand’s most advanced mobile wallet. The Defly Wallet has a lot of great functions, including re-keying if you need it, but is mobile only.

Next is Pera Wallet, the most popular self-custodial mobile wallet. They also recently released their web wallet, which works quite well as a myalgo wallet replacement. The only issue is that not all Web3 dapps have been updated to support Pera Web Wallet yet, so that might take a bit of time before it is fully interchangeable. I personally have started using Pera Web as my browser wallet.

The final and most secure solution is to switch over your assets (or your highest value ones) to a Ledger Wallet, which is a physical hardware wallet that maximally secures all of your assets. No users that held their assets on a ledger were affected by this exploit. Good options include the Nano S (desktop) and the Nano X (mobile + desktop), but if you want more information you can read my detailed guide to Ledger on Algorand.

Tip: Most Algorand Wallets work with Ledger. That means you can use Pera/Defly/MyAlgo and ledger at the same time, taking advantage of the features of a hot wallet and the security of a hardware wallet.

Situation #2: You have a lot of ASAs, NFTs, and are an active Algorand Ecosystem User. You used MyAlgo to access Algorand dapps from your browser

This is a situation that a lot of us, myself very much included, ended up in. You can re-key using Defly (mobile) or Pera (web). You can find official documents how to rekey here:
Defly
Pera

What is Rekeying on Algorand?

Re-Keying a wallet is the process through which the authoritative private keys of an account are rotated while keeping the public address. It basically hands over the signing rights from one wallet to another— though in this case you will own both wallets. Common reasons to rekey a wallet are: change in wallet ownership, a compromised account, using a ledger hardwallet.

That said, re-keying a wallet has some drawbacks

  • You must hold both accounts in the same wallet.
  • You have to import both accounts when changing wallets.
  • Importantly, not all Algorand Dapps support rekeyed accounts. This may change as a result of this incident, but if you’re an active gamer — you might not be able to use a rekeyed account to play.

How to Rekey a MyAlgo Wallet

Fortunately, rekeying is a fairly straightforward process. If you are re-keying and using mobile, Defly Wallet is the best option. If you are looking to re-key a browser wallet, Pera Wallet Web is the best option. All you need to do is set up a new account that you want to use to sign transactions, and safely store that accounts seed phrase. You then key your old account to the new one, and you are done.

For the official guide on how to rekey on Defly, click here.

For the official guide on how to rekey a browser wallet on Pera, click here.

Rekeying a Wallet Using Pera Web

Step 1. Create a new account, and safely secure the seed phrase/recovery phrase. You need both the new and old recovery phrase to manage your funds.

Step 2. Go to Pera Web, and click the three dots by the wallet you want to rekey.

rekeying your wallet on pera web

Step 3. Select the wallet you would like to rekey to. This means the new wallet will be the only one that can sign transactions for the old one. Finalize rekeying.

Rekeying on Pera Web

Can you Keep Your Assets on MyAlgo Wallet?

At this time, the answer is almost certainly no. You should much your funds off their app with urgency.

How to Protect Yourself From Future Algorand Exploits

The exact answer on how to prevent another MyAlgo exploit isn’t known yet, because the cause hasn’t been revealed. One thing is certain: had the exploited been using Ledger wallets, they would not have been exploited. Ledger Wallets serve as two-fold robust protection: the seed phrase never touches the internet, and the physical signing devices acts as 2FA.

Note: Unsure of how ledger works on Algorand, or which is the best? Read my complete guide here.

Additionally, become well versed on common social engineering tactics. The #1 (by far) most common way that crypto is stolen is by social engineering, phising, or other similar tactics that allow a bad actor to get control of your seed phrase. Vigorously verify links that you click on, and be extremely suspicious of anything that wants your seed phrase.

MyAlgo FAQ

Is MyAlgo Wallet safe?

No. Immediately move funds that have been on MyAlgo to a new Pera or Defly Wallet. You can also Rekey your account if you have a lot of ASAs.

Is Pera Wallet safe?

Yes, Pera Wallet was not affected by the MyAlgo exploit.

Is Defly Wallet safe?

Yes. Defly was not affacted by the MyAlgo exploit.

Do I have to move funds on an old MyAlgo wallet?

Yes. If your mnemonic was ever in myalgo, you must rekey or move funds.

Is a ledger wallet on MyAlgo safe?

Yes, no users with a ledger wallet have been affected yet.

What Algorand wallets are safe?

You can use Defly, Pera, or Exodus. A Ledger hardware wallet is the safest option.

How do I get my lost MyAlgo Algo back?

Unfortunately, there is no way at the time to recover lost funds, unless police investigations find the culprit and force those funds to be returned.

Is importing a wallet to pera enough?

No. You need to send funds to a newly created account, or use the re-key feature to a new account.

Can you rekey multiple accounts or wallets to a single one?

Yes. You can rekey to one wallet.

Do you need to save your old passphrase/secret phrase when rekeying?

Yes. Save both the new and old recovery phrases. You will need both.

Do rekey’d wallets have to be in the same account?

Yes, you must keep them on the same device/account.

Does disconnecting your wallet from MyAlgo help?

No. You need to rekey or transfer funds.

After you rekey an algorand account, which address do you use to receive funds?

You use the old address. When signing, the app will automatically use the rekey’d address to sign.

Why is my $ALGO not showing up in my Coinbase account?

Coinbase is currently seeing delays due to network overload and many people doing the same thing. As long as the address is correct, your funds should be safe.

Are ledger myalgo users at risk?

No. As long as your seed phrase has never been entered into MyAlgo, you are not at risk.

About the Author

The AlgonautBlog

Nathan has been running the AlgonautBlog for the last two years. He is focused on creating guides that help people safely the Algorand ecosystem and all it has to offer. He was a product manager on the Coinbase Wallet team and a 2021 UC Berkeley Economics graduate.

Learn More About Algorand

Follow the @algonautblog on twitter.

Keeping up with this blog and reading other articles is a great way to learn about the ecosystem. Here are the most popular articles I’ve written.

  1. Algorand Explained: Without Using A Single Crypto Term
  2. The Ultimate Guide to Easing Into the Algorand Ecosystem
  3. Crypto Wallets on Algorand: Exchange, Self-Custodial and Ledger

Leave a Reply

Your email address will not be published. Required fields are marked *