Development

GitHub

Developer activity (from Coinlib.io)

Update Regarding Vulnerability Recently Discovered In Komodo’s Agama Wallet

On June 4, 2019 at approximately 5pm UTC, the Komodo team received a private notification from npm (Node Package Manager, a popular tool to include external Node.js libraries into any project) about a vulnerability in one of the upstream libraries Komodo’s Agama wallet was using.

If you had funds stored in Komodo’s Agama wallet and those funds were moved without your knowledge or permission, please complete this form at your earliest convenience. Please note you will need to fill a separate form for each asset. It is essential that all Agama users who had their funds moved fill out the form.

An Overview Of The Vulnerability

Komodo’s version of Agama wallet was using a Node.js module that contained malicious code. The infected module was collecting user seed phrases and storing them on a publicly accessible server. Please read this post on the npm blog for more details about the malicious code and how it was inserted.

Please note that only Komodo’s version of Agama wallet was affected. Verus Coin, a project within the Komodo ecosystem that maintains a distinct version of Agama, was not affected by this vulnerability.

The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD. Verus Coin supports a number of ecosystem coins, including KMD, VRSC, and ARRR, as well as BTC, ETH, and other major digital assets.

It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.

The update contained malicious code that stored all seed phrases on a public server. The hacker saved the seed phrases on a public server to obscure his/her identity and to create a scenario where anyone could be a suspect when the vulnerability was finally exploited.

Understanding The Vulnerability

The KMD blockchain was not affected in any way. There is no vulnerability with the KMD blockchain or any other blockchain launched with Komodo’s technology. There is absolutely no need for a rollback or a hard fork. It’s crucial to understand that this was not a 51% attack or any other kind of attack on the KMD chain.

Rather, it was a security vulnerability in an external module that the code base of Agama wallet depended upon. The Komodo Team was made aware of the vulnerability and took immediate action to protect user funds and eliminate the threat.

In addition, only Komodo’s version of Agama was affected. The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD.

Komodo’s Response To The Vulnerability

Once the Komodo Dev Team learned that users’ seed phrases were being exported from Komodo’s Agama and catalogued, the decision was made to exploit the bug before a bad actor could do so.

After review, it seems the attacker had started emptying wallets before the Komodo Dev Team jumped into action. At the time, the Komodo Dev Team did not know that the attacker was already stealing funds and made the decision to secure vulnerable funds independently. Now, it is very clear that the Komodo team was in a race against the attacker to move all the funds in compromised wallets.

Using the seed phrases stored on the publicly accessible server, the Komodo Dev Team opened the compromised wallets and moved the funds to a secure wallet.

It is important to note that the Komodo Dev Team does not have access to anyone’s private keys, seed phrases, or funds, including Agama wallet users.

The only way that the Komodo Dev Team was able to move users’ funds in this case was by accessing the trove of seed phrases that the attacker’s malicious module had saved.

Approximately 8 Million KMD and 96 BTC are now in a secure wallet being safeguarded by the Komodo Dev Team. All funds will be returned to users once they generate a new, secure wallet, complete the Missing Funds Claim Form, and send a small transaction from the old wallet.

How To Reclaim Your Swept Funds

If you had funds stored in Agama wallet that someone else sent to a different address, the first step is to complete this Missing Funds Claim Form.

The reclaim process will begin with wallets that had less than 7777 KMD in them and are undisputed (meaning that only one missing funds claim was made for that wallet). If you meet these conditions then please read this support guide to learn more about the reclaim process.

The process will be simple and blockchain-based. First, a very small fraction of a KMD coin was sent to all addresses from which funds were swept. This step is already complete.

Second, the rightful owner of that address must access their compromised wallet and send that small amount of KMD to the same destination address specified in the Missing Funds Claim Form. This verifies that the same individual who completes the form is the rightful owner of the funds they are reclaiming.

Finally, the Komodo Team will return all funds moved in the security sweep. The Komodo Dev Team aims to process all of these undisputed refunds of less than 7777 KMD by June 15. Please be patient during this time.

For all other wallets — those with more than 7777 KMD and those for which multiple Missing Funds Claim Forms were completed — more details will follow soon. The Komodo Team aims to have all of these funds returned by June 30.

The Extent Of The Losses

In total, the hacker managed to gain control of approximately 1 Million KMD. This is less than one percent of the circulating supply of KMD and roughly 0.5% of the total supply. The total supply of KMD is approximately 200 Million and will be reached around the year 2030.

The Komodo Dev Team is still conducting an analysis of the attack and the Support Team is still gathering information from users about funds that were either swept to a secure address or stolen by the attacker, so detailed plans have not yet been made.

However, it’s important to note that the Komodo team will be doing everything possible to make sure everyone gets all of their funds back. Komodo’s Lead Developer James ‘jl777’ Lee has pledged donate 500,000 KMD from his personal holdings to compensate users who lost their funds in this attack. More details will be released in the coming days.

Keeping The Komodo Ecosystem Secure

In place of Agama wallet, we are releasing a new wallet, AtomicDEX — a hybrid product that is both a multi-coin wallet and a decentralized exchange. AtomicDEX relies on newer, more advanced and more secure technologies.

One important aspect of AtomicDEX’s features is that it only utilizes dependencies that are reviewed by security experts. The new software environment and architecture of AtomicDEX will make security vulnerabilities less likely.

The Komodo team always makes security the highest priority. Our security team is constantly monitoring our network and blockchain activities to ensure the safety of our users.

New tutorials:

In the wake of the Komodo cybersecurity team sweeping compromised addresses, the first round of funds reclamation via blockchain rules is already being fulfilled. A scheme to verify ownership of stolen keys uses on-chain & off-chain methods for reconciling data through this quick resolution through the support desk. This effective use of blockchain has enabled a community project to efficiently process claims.

The bespoke blockchain reclamation solution of distributing funds to users is a real world example of effective and efficient processing of business logic on a blockchain. The quick resolution has not been fully blockchain enabled and uses off-chain & manual verification. There are two reasons for this: there is a time of centralized control of funds & no designated time for full end to end blockchain testing.

The aforementioned quick resolution to funds reclamations is an example of a future multi-chain credit or refund system that can be integrated with an on-chain payments and disbursements module.

The rest of the article is using the templated blockchain solutions to give free coins to users which uses only the blockchain, and only native code for fast processing.

Example Interoperable Smart Chains Using Antara Rewards & Antara Faucet (With ROGUE gameplay in the middle of the green chain)

Full article can be found here.