During a recent routine internal review, we discovered and resolved an issue with the creation of some Casa members' mobile keys and Pay keys. The affected keys were created by members using the iOS version of the Casa app between February 15, 2023 and May 11, 2023.
After a thorough investigation, we determined that this issue did not compromise any Casa accounts or funds. We will continue monitoring account activity, and as an additional precaution, we contacted affected members and recommended that they replace their affected keys.
To make this key replacement process simple, we prepared a step-by-step guide in the Casa app. Affected members can open and log into their Casa apps and follow the prompts to complete their key replacement.
Please note: Unaffected members will not see these prompts. If you do not see these prompts in your Casa app, your keys were not affected and no further action is required.
Pay key vs. mobile key
Since the Pay wallet is a single-key wallet, we are requiring affected members to replace the Pay key to keep the wallet healthy.
We recommend that Casa members only use their Pay wallets to store small amounts of funds, approximately the amount of cash they would be comfortable carrying in their physical wallets. The single-key setup is designed for convenience and ease of use, but not for protecting larger amounts of assets, which are better held in more secure vaults protected by multiple keys.
The mobile key is different because it is part of a vault with multiple keys. The benefit of a 3-key or 5-key vault is that any one key is not sufficient to move funds.
In the interest of keeping the vault setup as secure as possible, we recommend ensuring every key is healthy. We also recognize that replacing a key in a vault can be difficult if a member has set up automatic deposits, or has geographically distributed their hardware key(s).
If replacing the mobile key presents significant difficulty, affected members can choose to skip or delay a replacement, since they can rely on the rest of the keys to minimize the risk to the vault.
Instructions for key replacement
If your key(s) have been affected, the Casa app will prompt you to replace the key the next time you sign in.
Pay Key replacement prompt on the left. Mobile Key replacement prompt on the right. Note that the Mobile Key replacement can be postponed if performing a key rotation is inconvenient.
If you are not prompted to replace your key, your key was not affected, and no further action is required.
When you click the purple "Replace Key" button at the bottom, your Casa app will generate a new key on your device, and upload an encrypted backup of the key to your device's cloud drive.
Once the new key has been created, you will need to send any bitcoin in that wallet to the new wallet. You can select "Use Guided Recovery" if you would like the Casa app to create a transaction for your entire balance to the new wallet or vault created using the new key. If you would prefer to create the transaction yourself, which you may want to do if you want to send to an external address or you want to send your UTXOs to the new wallet or vault individually, select "Use Manual Recovery." You can still sign the recovery transaction using the mobile key that has just been replaced.
If you are unsure which recovery process is right for you, please see our article, Guided vs. manual recovery transactions.
Once the transaction has been confirmed on the blockchain, be sure you update your addresses anywhere you might have saved them in the past!
If you have any questions or are unsure about whether your key was affected, please contact us at firstname.lastname@example.org.