If you have ever held any funds on popular algorand wallet MyAlgo you need to immediately move them off. Hundreds of users are getting their funds drain after a myalgo exploit was revealed. The exact cause is unknown, but at this point it seems likely that it was a software breach on myalgo’s end and that all accounts that have had their mnemonic exposed on myalgo are at risk. You must rekey or move funds off of all MyAlgo wallets. Fortunately, the process is very easy. Do not panic, and read on to determine if moving funds or rekeying is better for you.
We’ll talk through whether rekeying or moving to a new account is better for you, and how to protect yourself against exploits like this in the future.
Table of Contents
How do I make sure my ASAs/Algorand Tokens are safe?
Situation #1: You have mostly Algo/ASAs in your Wallet
Situation #2: You have a lot of tokens and NFTs. Active DeFi user.
What is Rekeying?
How to Protect Yourself from Future Algorand Wallet Exploits
How to Secure Your ASAs and Algorand Tokens on a MyAlgo Wallet
There are a couple things you need to keep in mind. Whether you decide to rekey or move to a new account, you must take care to not lose the seed phrase of the new and old account. You will need both seed phrases to ensure complete access to your funds. Do not take any short cuts when it comes to your seed phrase/secret words.
You have four options:
1. Send funds to a new, non myalgo account.
2. Rekey using Pera Web or Defly
3. Rekey to a Ledger (safest for future exploits)
4. Sending $ALGO to a trusted exchange, like Coinbase.
Situation #1: You have mostly Algo or ASAs in your wallet, not a lot of NFTs.
Users in this situation (without hundreds of assets) will want to create a new wallet and send assets over. This is a viable option due to Algorand’s microcent transaction fees, it will cost very little to do this— though it becomes a pain to send things over one-by-one if you have a lot of assets, which is why this may not be the best choice for everyone.
In terms of what wallet is best as a myalgo replacement, there are a couple of good options.
The first is Defly Wallet, which is Algorand’s most advanced mobile wallet. The Defly Wallet has a lot of great functions, including re-keying if you need it, but is mobile only.
Next is Pera Wallet, the most popular self-custodial mobile wallet. They also recently released their web wallet, which works quite well as a myalgo wallet replacement. The only issue is that not all Web3 dapps have been updated to support Pera Web Wallet yet, so that might take a bit of time before it is fully interchangeable. I personally have started using Pera Web as my browser wallet.
The final and most secure solution is to switch over your assets (or your highest value ones) to a Ledger Wallet, which is a physical hardware wallet that maximally secures all of your assets. No users that held their assets on a ledger were affected by this exploit. Good options include the Nano S (desktop) and the Nano X (mobile + desktop), but if you want more information you can read my detailed guide to Ledger on Algorand.
Tip: Most Algorand Wallets work with Ledger. That means you can use Pera/Defly/MyAlgo and ledger at the same time, taking advantage of the features of a hot wallet and the security of a hardware wallet.
Situation #2: You have a lot of ASAs, NFTs, and are an active Algorand Ecosystem User. You used MyAlgo to access Algorand dapps from your browser
This is a situation that a lot of us, myself very much included, ended up in. You can re-key using Defly (mobile) or Pera (web). You can find official documents how to rekey here:
What is Rekeying on Algorand?
Re-Keying a wallet is the process through which the authoritative private keys of an account are rotated while keeping the public address. It basically hands over the signing rights from one wallet to another— though in this case you will own both wallets. Common reasons to rekey a wallet are: change in wallet ownership, a compromised account, using a ledger hardwallet.
That said, re-keying a wallet has some drawbacks
- You must hold both accounts in the same wallet.
- You have to import both accounts when changing wallets.
- Importantly, not all Algorand Dapps support rekeyed accounts. This may change as a result of this incident, but if you’re an active gamer — you might not be able to use a rekeyed account to play.
How to Rekey a MyAlgo Wallet
Fortunately, rekeying is a fairly straightforward process. If you are re-keying and using mobile, Defly Wallet is the best option. If you are looking to re-key a browser wallet, Pera Wallet Web is the best option. All you need to do is set up a new account that you want to use to sign transactions, and safely store that accounts seed phrase. You then key your old account to the new one, and you are done.
For the official guide on how to rekey on Defly, click here.
For the official guide on how to rekey a browser wallet on Pera, click here.
Rekeying a Wallet Using Pera Web
Step 1. Create a new account, and safely secure the seed phrase/recovery phrase. You need both the new and old recovery phrase to manage your funds.
Step 2. Go to Pera Web, and click the three dots by the wallet you want to rekey.
Step 3. Select the wallet you would like to rekey to. This means the new wallet will be the only one that can sign transactions for the old one. Finalize rekeying.
Can you Keep Your Assets on MyAlgo Wallet?
At this time, the answer is almost certainly no. You should much your funds off their app with urgency.
How to Protect Yourself From Future Algorand Exploits
The exact answer on how to prevent another MyAlgo exploit isn’t known yet, because the cause hasn’t been revealed. One thing is certain: had the exploited been using Ledger wallets, they would not have been exploited. Ledger Wallets serve as two-fold robust protection: the seed phrase never touches the internet, and the physical signing devices acts as 2FA.
Note: Unsure of how ledger works on Algorand, or which is the best? Read my complete guide here.
Additionally, become well versed on common social engineering tactics. The #1 (by far) most common way that crypto is stolen is by social engineering, phising, or other similar tactics that allow a bad actor to get control of your seed phrase. Vigorously verify links that you click on, and be extremely suspicious of anything that wants your seed phrase.
No. Immediately move funds that have been on MyAlgo to a new Pera or Defly Wallet. You can also Rekey your account if you have a lot of ASAs.
Yes, Pera Wallet was not affected by the MyAlgo exploit.
Yes. Defly was not affacted by the MyAlgo exploit.
Yes. If your mnemonic was ever in myalgo, you must rekey or move funds.
Yes, no users with a ledger wallet have been affected yet.
You can use Defly, Pera, or Exodus. A Ledger hardware wallet is the safest option.
Unfortunately, there is no way at the time to recover lost funds, unless police investigations find the culprit and force those funds to be returned.
No. You need to send funds to a newly created account, or use the re-key feature to a new account.
Yes. You can rekey to one wallet.
Yes. Save both the new and old recovery phrases. You will need both.
Yes, you must keep them on the same device/account.
No. You need to rekey or transfer funds.
You use the old address. When signing, the app will automatically use the rekey’d address to sign.
Coinbase is currently seeing delays due to network overload and many people doing the same thing. As long as the address is correct, your funds should be safe.
No. As long as your seed phrase has never been entered into MyAlgo, you are not at risk.
About the Author
Nathan has been running the AlgonautBlog for the last two years. He is focused on creating guides that help people safely the Algorand ecosystem and all it has to offer. He was a product manager on the Coinbase Wallet team and a 2021 UC Berkeley Economics graduate.
Learn More About Algorand
Follow the @algonautblog on twitter.
Keeping up with this blog and reading other articles is a great way to learn about the ecosystem. Here are the most popular articles I’ve written.
- Algorand Explained: Without Using A Single Crypto Term
- The Ultimate Guide to Easing Into the Algorand Ecosystem
- Crypto Wallets on Algorand: Exchange, Self-Custodial and Ledger