Reverse Pickpocket: Why Komodo Team Hacked Their Own Users

2019-6-11 00:16

The cryptocurrency world is full of risks, from malicious hackers to unexpected bugs. But you’d never expect developers to hack their own users–and you’d be even more surprised if their next step was to give the stolen funds back.

That’s the curious moral dilemma that faced developers for the Komodo (KMD) Platform last week. After discovering a major vulnerability in the Komodo Agama wallet, developers took an unusual emergency measure–stealing their own users’ funds, before a hacker could steal them first.

According to developers, some $13M of Komodo tokens were removed in a preventive theft that foiled a months-long hacking scheme.

How To Hack A Wallet

According to the official explanation from the Komodo team, the exploit was intentionally inserted into Agama code after long preparation.

“A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug,” the team explained in an official update. “Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.”

That meant anyone updating their wallet would automatically download the malicious code, which would store seed phrases and pass phrases in an external server. However, the backdoor was eventually discovered by Node Package Manager, a popular tool used to include external libraries into any project.

NPM promptly notified Komodo developers, who had to take immediate action.

This discovery presented a dilemma to the Komodo team: they knew that they would have to notify users, but they also needed to resolve the bug to prevent a hacker from immediately siphoning funds. The team believed the hacker was already collecting seeds and was simply waiting for the right time to steal the compromised funds.

“We did a full scan, using the hacker’s exploits against him to understand which accounts had been affected,” explained Komodo CMO Steve Lee. “After assessing all possible options and scenarios, we made the decision to intervene on behalf of our users.”

When the story of the vulnerability first broke, the community reacted with confusion, Lee said.

“The most important thing we want people to understand is that we don’t have — and never have had — access to users’ private keys or seed phrases. We used the attacker’s same exploit to find every address that was affected, and we made the decision to use that same exploit to protect those funds and transfer them to a safe location. This was an internal white-hat counterattack.”Steve Lee, CMO of Komodo Platform

 Komodo’s CTO, Kadan Stadelmann, had previously worked on IT security projects for both the Tunisian and Austrian Governments. Stadelmann’s quick thinking was essential in preventing further hacks, Lee said: “He is a very skilled and experienced white hat hacker who knew exactly what was going on and how best to rectify the situation.”

As funds were drained away, the thief saw the tokens moving and tried to steal as many as possible. According to Lee, the hacker made off with around a million KMD($1.66M), but the potential theft could have been significantly worse had the Komodo team not intervened.

Damage Control

In an effort to clarify misunderstandings, Lee emphasized that this vulnerability is not a flaw in Komodo’s blockchain technology, and does not affect transaction security.

“It is important to understand that our core technology has not been compromised. This is a software product suffering from an external software vulnerability. The Komodo blockchain and all dPoW protected ecosystem chains remain entirely secure. Komodo has always employed a robust internal security code review process, along with external 3rd party penetration-testing, on all our core blockchain technologies. We are now assessing solutions to extend a more robust security audit to all our software products as well.”Steve Lee, CMO of Komodo Platform

Following the incident, the Komodo team began publicizing the details of the vulnerability, as well as instructions to users on how to recover their funds. Lee emphasized that the exploit only affects the Komodo Agama wallet; other wallets, including the Verus Agama wallet, remain safe.

“Komodo’s policy in situations like these is to explore all possible solutions, and pick the one that puts our users and partners first,” Lee explained. “Understandably, we had some frustrated users, however the majority of the community response has been positive.”

While the attempted theft provides a cautionary tale to the users of blockchain technology, the prompt by Komodo developers prevented a larger disaster for Komodo users.

“Malicious attacks on our industry will continue to be an ongoing issue,” Lee said. “It’s through how we handle situations like these and how we learn from them that the technology can be made even more secure in the future.”

 

The post Reverse Pickpocket: Why Komodo Team Hacked Their Own Users appeared first on Crypto Briefing.

Similar to Notcoin - Blum - Airdrops In 2024

origin »

OWNDATA (OWN) на Currencies.ru

$ 0 (+0.00%)
Объем 24H $0
Изменеия 24h: 0.00 %, 7d: 0.00 %
Cегодня L: $0 - H: $0
Капитализация $0 Rank 99999
Цена в час новости $ 6.89E-5 (-100%)

own users komodo developers reverse pickpocket team

own users → Результатов: 126


This Crypto Startup Hacks Its Own Users’ Wallets to Rescue $13 Million

By CCN: Better the thief you know than the one you don’t. Cryptocurrency platform Komodo has had to hack its users after discovering a serious security flaw in one of its wallets. According to a press statement by the blockchain startup, Komodo’s cybersecurity team was able to ‘sweep’ in and retrieve 8 million Komodo coins (KMD) and 96 Bitcoin before hackers got hold of the exposed loot.

2019-6-7 15:19


0x and StarkWare Partner to Create StarkDEX, Aims to Scale Decentralized Exchange Performance

A new trend has sprung up in the crypto world in the last few months which is the rise of decentralized exchanges as an alternative to traditional crypto exchanges. These exchanges offer certain benefits such as improved security for users and as a result, many traditional exchanges are beginning to launch their own actions such […]

2019-6-4 18:56


ARK Launches the ARK Deployer: Enabling Anyone to Create a Blockchain in 3 Simple Steps

Bitcoin Press Release: The ARK Deployer enables everyone, from seasoned developers to enthusiastic users, to easily create and customize their own blockchain in minutes. May 28th, 2019, United States — ARK, a leading blockchain technology provider has today launched the eagerly anticipated ARK Deployer; a free tool that enables users to quickly and easily create […] The post ARK Launches the ARK Deployer: Enabling Anyone to Create a Blockchain in 3 Simple Steps appeared first on Bitcoin PR Buzz.

2019-5-28 16:00


Neutro ICO

The Neutro Protocol solves the trilemma of scalability, security and decentralization, allows for anonymous transactions and eradicates the need for centralized oracles. Neutro users can create a decentralized version of almost any real-world market that exists now only in a centralized system that we all use currently.

2019-5-15 14:13


Binance Hackers Stole Only Bitcoin For This One Important Reason

Hackers stole $40 million in Bitcoin from cryptocurrency exchange Binance specifically because they trusted it most. ‘Bitcoin Ledger is the Most Immutable’ That was the conclusion circulating among the cryptocurrency community May 8 in the days after one of the world’s biggest trading platforms accepted it was unlikely to recover the funds and would need to repay users out of its own pocket.

2019-5-9 18:00