Update: Details of the Solflare “xpass” Exploit
March 13, 2026
Over the past year I have received many requests asking when I would release the full details of the Solflare xpass exploit. Today, I am publishing those details.
This post serves as an update to my original disclosure in Feb 2025 regarding a purposeful backdoor master key I discovered in the Solflare Chrome wallet extension that allows a wallet vault to be decrypted without requiring the user's wallet password.
At the time of the original report I privately disclosed this to Solflare and delayed public publication to give Solflare time to address the exploit.
The Core Issue
Solflare stores two critical values inside the extension's LevelDB storage:
solflaredata – encrypted wallet vault containing the seed phrase <-- this encrypted string contains the wallet seed phrase
solflarexpass – a key used to decrypt the vault <-- the "backdoor master key"
Because the decryption key is stored locally alongside the encrypted vault, the user's wallet password is not required to decrypt the vault and gain access to the wallet's seed phrase.
All that is required to decrypt the wallet and gain access to the seed phrase is access to the Chrome extension storage and extraction of the solflarexpass key -- something very easy for a malicious actor or stealer malware to do.
Once the vault is extracted with the key, the seed phrase can be recovered. No password cracking required.
Example Storage Layout
Inside the Chrome Solflare extension storage database the relevant entries appear similar to:
solflaredata: {
"data":{
"digest":"sha256",
"encoding":"base64",
"encrypted64":"..."
}
}
solflarexpass: "<stored key>"
Using the key stored in solflarexpass, the encrypted vault (solflaredata) can be decrypted.
A screenshot of the original report is attached below.
[image: 1773412854934-c25dc614-d139-4de7-9c3b-da142cb773bb-image.png]
