Zero-Click Wallet Takeover via Magic Link Verification Race Condition

The Vulnerability

When a login request was initiated, the system created a verification record in the database immediately but wrote the actual verification code to that record asynchronously (in a background process). For a brief window of 0-1 seconds, the record existed but the verification code field was empty.

The verification endpoint did not check for this empty state, so submitting a blank code during this window was accepted as valid.

The Attack

The attacker triggered a login request for the victim's email, then immediately submitted a blank verification code before the real code was written. This granted a valid authentication session.

From there, the attacker retrieved the victim's encrypted wallet material from the database, obtained decryption credentials through a cloud key management service, and reconstructed the wallet's complete recovery phrase through a multi-step decryption chain. A separate endpoint returned additional wallet data for any user without authentication, completing the key reconstruction. The entire process took approximately 60 seconds.

The Impact

Complete wallet compromise. The attacker obtained the full recovery phrase and private key, enabling them to transfer all funds from the victim's wallet. The attack required zero interaction from the victim.

For Telegram-based wallets, the attack was even simpler since Telegram user IDs are public and the synthetic email addresses used for these accounts follow a predictable pattern. Over 38,000 potential targets were enumerable from public community groups.

Remediation

• Add a null check to the verification code comparison.
• Write the verification code synchronously before returning from the login request.
• Authenticate the wallet data endpoint that currently returns data for any user without verification.
• Do not use predictable values as encryption passwords for wallet material.