The cryptocurrency world is full of risks, from malicious hackers to unexpected bugs. But you’d never expect developers to hack their own users–and you’d be even more surprised if their next step was to give the stolen funds back.
That’s the curious moral dilemma that faced developers for the Komodo (KMD) Platform last week. After discovering a major vulnerability in the Komodo Agama wallet, developers took an unusual emergency measure–stealing their own users’ funds, before a hacker could steal them first.
According to developers, some $13M of Komodo tokens were removed in a preventive theft that foiled a months-long hacking scheme.
How To Hack A Wallet
According to the official explanation from the Komodo team, the exploit was intentionally inserted into Agama code after long preparation.
“A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug,” the team explained in an official update. “Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.”
That meant anyone updating their wallet would automatically download the malicious code, which would store seed phrases and pass phrases in an external server. However, the backdoor was eventually discovered by Node Package Manager, a popular tool used to include external libraries into any project.
NPM promptly notified Komodo developers, who had to take immediate action.
This discovery presented a dilemma to the Komodo team: they knew that they would have to notify users, but they also needed to resolve the bug to prevent a hacker from immediately siphoning funds. The team believed the hacker was already collecting seeds and was simply waiting for the right time to steal the compromised funds.
“We did a full scan, using the hacker’s exploits against him to understand which accounts had been affected,” explained Komodo CMO Steve Lee. “After assessing all possible options and scenarios, we made the decision to intervene on behalf of our users.”
When the story of the vulnerability first broke, the community reacted with confusion, Lee said.
“The most important thing we want people to understand is that we don’t have — and never have had — access to users’ private keys or seed phrases. We used the attacker’s same exploit to find every address that was affected, and we made the decision to use that same exploit to protect those funds and transfer them to a safe location. This was an internal white-hat counterattack.”Steve Lee, CMO of Komodo Platform
Komodo’s CTO, Kadan Stadelmann, had previously worked on IT security projects for both the Tunisian and Austrian Governments. Stadelmann’s quick thinking was essential in preventing further hacks, Lee said: “He is a very skilled and experienced white hat hacker who knew exactly what was going on and how best to rectify the situation.”
As funds were drained away, the thief saw the tokens moving and tried to steal as many as possible. According to Lee, the hacker made off with around a million KMD($1.66M), but the potential theft could have been significantly worse had the Komodo team not intervened.
Damage Control
In an effort to clarify misunderstandings, Lee emphasized that this vulnerability is not a flaw in Komodo’s blockchain technology, and does not affect transaction security.
“It is important to understand that our core technology has not been compromised. This is a software product suffering from an external software vulnerability. The Komodo blockchain and all dPoW protected ecosystem chains remain entirely secure. Komodo has always employed a robust internal security code review process, along with external 3rd party penetration-testing, on all our core blockchain technologies. We are now assessing solutions to extend a more robust security audit to all our software products as well.”Steve Lee, CMO of Komodo Platform
Following the incident, the Komodo team began publicizing the details of the vulnerability, as well as instructions to users on how to recover their funds. Lee emphasized that the exploit only affects the Komodo Agama wallet; other wallets, including the Verus Agama wallet, remain safe.
“Komodo’s policy in situations like these is to explore all possible solutions, and pick the one that puts our users and partners first,” Lee explained. “Understandably, we had some frustrated users, however the majority of the community response has been positive.”
While the attempted theft provides a cautionary tale to the users of blockchain technology, the prompt by Komodo developers prevented a larger disaster for Komodo users.
“Malicious attacks on our industry will continue to be an ongoing issue,” Lee said. “It’s through how we handle situations like these and how we learn from them that the technology can be made even more secure in the future.”
Comments