Written by a Team Member
I opened Stack Wallet for screenshots for an upcoming tutorial a five-minute task. Instead, I spent three hours troubleshooting a frozen interface on a test wallet I’d created that morning and tried some of the most invasive forensic recovery tools on my own device. A client messaged. Same issue. Couldn’t access their funds in Stack Wallet.
After giving them the standard technical support response (network issues, user error,…) this time it was different. My test wallet displayed the same symptoms. Funds existed on the blockchain but the wallet couldn’t get past the loading screen. And because this was “just a test,” I hadn’t recorded the recovery phrase.
I practice what I preach to clients, except when I don’t. How many others were experiencing this simultaneously? We needed verification. Fresh device. Clean Stack Wallet install. Enable Tor. Result: Infinite loading screen. Reproducible and bug confirmed.
Emergency meeting. All of us staring at the same broken loading screen. One asked: “Do we tweet?” We didn’t. Responsible disclosure. You discover a vulnerability, you give developers time to patch before public announcement. Funds weren’t stolen or missing, just inaccessible. Announcing prematurely would create panic before Stack’s team could respond. The bug required specific conditions (latest update + Tor enabled) and thus had a limited impact.
Urban posted in Stack’s Telegram support channel describing the issue. The scammers materialized like flies on fresh meat. With their thick indian accent: “Hello sir, official support here.” “Please provide recovery phrase.” “Click for emergency restore.”
Some were obvious. Others were convincing, nearly indistinguishable from legitimate support. They almost fooled us. Public disclosure without a fix creates a feeding ground for social engineering attacks. We’d be providing opportunity. Stack’s team worked through the night. By Monday morning: patch ready, tested.
Then MacOS pushed an update. Stack’s build system failed. The fix existed but couldn’t be released. More hours. More refactoring. The disclosure window extended not from negligence but ill-timed technical speed bumps.
Finally on Thursday: Update deployed. Wallet unlocked. Funds accessible.
Users still await Apple and Google approval for automatic deployment.
I backed up all my recovery phrases that night. Even the “test” ones. Because next time, the bug might not unlock at all.
We Accept // Bitcoin | Monero | Credit Card