Tl;dr Puzzle Aleo Wallet on Chrome stores your View Key on their server
For Leo Wallet users who also use Puzzle Wallet on Chrome, we have recently discovered that Puzzle Wallet shares your View Key in plaintext with their servers on Aleo Mainnet by default.
This means that any account you’ve created in Leo Wallet and later imported into Puzzle wallet has its View Key compromised and transactions you’ve made or will make can no longer be considered private.
With your View Key, Puzzle can permanently view your entire transaction history. This is a centralized point of failure for user privacy.
Leo Wallet is dedicated to privacy and believes sharing View Keys with centralized parties is a major security breach.
If you’ve used Puzzle Wallet, our recommendation is to create a new seed phrase or new private keys with your Leo Wallet to preserve your privacy.
Background
Aleo is a privacy chain that utilizes Zero Knowledge Proofs to generate public or private transactions. Each account on Aleo has a unique setup involving three main parts:
- Public Address - used to send and receive tokens. anyone can see this
- Private Key - used to prove ownership of wallet and sign transactions
- View Key - used to view all encrypted transactions
Note: We shared these findings with Puzzle Wallet, who remains committed to the Aleo ecosystem and plans to address this in the future. Only the Chrome Puzzle wallet is impacted.
