THELOGICALINDIAN - A abstruseness aces of Nancy Drew
The cryptocurrency apple is abounding of risks, from awful hackers to abrupt bugs. But you’d never apprehend developers to drudge their own users–and you’d be alike added afraid if their abutting footfall was to accord the baseborn funds back.
That’s the analytical moral bind that faced developers for the Komodo (KMD) Platform aftermost week. After advertent a above vulnerability in the Komodo Agama wallet, developers took an unusual emergency measure–stealing their own users’ funds, afore a hacker could abduct them first.
According to developers, some $13M of Komodo tokens were removed in a antitoxin annexation that aghast a months-long hacking scheme.
How To Hack A Wallet
According to the official account from the Komodo team, the accomplishment was carefully amid into Agama cipher afterwards continued preparation.
“A hacker spent several months authoritative advantageous contributions to the Agama athenaeum on GitHub afore inserting the bug,” the aggregation explained in an official update. “Eventually, the hacker added awful cipher to an amend of a bore that Komodo’s Agama was already using.”
That meant anyone afterlight their wallet would automatically download the awful code, which would abundance berry phrases and canyon phrases in an alien server. However, the backdoor was eventually apparent by Node Package Manager, a accepted apparatus acclimated to accommodate alien libraries into any project.
NPM promptly notified Komodo developers, who had to booty actual action.
This analysis presented a bind to the Komodo team: they knew that they would accept to acquaint users, but they additionally bare to boldness the bug to anticipate a hacker from anon siphoning funds. The aggregation believed the hacker was already accession seeds and was artlessly cat-and-mouse for the appropriate time to abduct the compromised funds.
“We did a abounding scan, application the hacker’s exploits adjoin him to accept which accounts had been affected,” explained Komodo CMO Steve Lee. “After assessing all accessible options and scenarios, we fabricated the accommodation to arbitrate on account of our users.”
When the adventure of the vulnerability aboriginal broke, the association reacted with confusion, Lee said.
Komodo’s CTO, Kadan Stadelmann, had ahead formed on IT aegis projects for both the Tunisian and Austrian Governments. Stadelmann’s quick cerebration was capital in preventing added hacks, Lee said: “He is a actual accomplished and accomplished white hat hacker who knew absolutely what was activity on and how best to adjust the situation.”
As funds were drained away, the bandit saw the tokens affective and approved to abduct as abounding as possible. According to Lee, the hacker fabricated off with about a actor KMD($1.66M), but the abeyant annexation could accept been decidedly worse had the Komodo aggregation not intervened.
Damage Control
In an accomplishment to analyze misunderstandings, Lee emphasized that this vulnerability is not a blemish in Komodo’s blockchain technology, and does not affect transaction security.
Following the incident, the Komodo aggregation began publicizing the capacity of the vulnerability, as able-bodied as instructions to users on how to recover their funds. Lee emphasized that the accomplishment alone affects the Komodo Agama wallet; added wallets, including the Verus Agama wallet, abide safe.
“Komodo’s action in situations like these is to analyze all accessible solutions, and aces the one that puts our users and ally first,” Lee explained. “Understandably, we had some balked users, about the majority of the association acknowledgment has been positive.”
While the attempted annexation provides a cautionary account to the users of blockchain technology, the alert by Komodo developers prevented a beyond adversity for Komodo users.
“Malicious attacks on our industry will abide to be an advancing issue,” Lee said. “It’s through how we handle situations like these and how we apprentice from them that the technology can be fabricated alike added defended in the future.”
