On June 4, 2019 at approximately 5pm UTC, the Komodo team received a private notification from npm (Node Package Manager, a popular tool to include external Node.js libraries into any project) about a vulnerability in one of the upstream libraries Komodo’s Agama wallet was using.
The Komodo team would like to thank the npm security team for handling the situation so quickly and professionally.
If you had funds stored in Komodo’s Agama wallet and those funds were moved without your knowledge or permission, please complete this form at your earliest convenience. Please note you will need to fill a separate form for each asset. It is essential that all Agama users who had their funds moved fill out the form.
An Overview of the Vulnerability
Komodo’s version of Agama wallet was using a Node.js module that contained malicious code. The infected module was collecting user seed phrases and storing them on a publicly accessible server. Please read this post on the npm blog for more details about the malicious code and how it was inserted.
Please note that only Komodo’s version of Agama wallet was affected. Verus Coin, a project within the Komodo ecosystem that maintains a distinct version of Agama, was not affected by this vulnerability.
The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD. Verus Coin supports a number of ecosystem coins, including KMD, VRSC, and ARRR, as well as BTC, ETH, and other major digital assets.
It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.
The update contained malicious code that stored all seed phrases on a public server. The hacker saved the seed phrases on a public server to obscure his/her identity and to create a scenario where anyone could be a suspect when the vulnerability was finally exploited.
Understanding the Vulnerability
The KMD blockchain was not affected in any way. There is no vulnerability with the KMD blockchain or any other blockchain launched with Komodo’s technology. There is absolutely no need for a rollback or a hard fork. It’s crucial to understand that this was not a 51% attack or any other kind of attack on the KMD chain.
Rather, it was a security vulnerability in an external module that the code base of Agama wallet depended upon. The Komodo Team was made aware of the vulnerability and took immediate action to protect user funds and eliminate the threat.
In addition, only Komodo’s version of Agama was affected. The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD.
Komodo’s Response to the Vulnerability
Once the Komodo Dev Team learned that users’ seed phrases were being exported from Komodo’s Agama and catalogued, the decision was made to exploit the bug before a bad actor could do so.
After review, it seems the attacker had started emptying wallets before the Komodo Dev Team jumped into action. At the time, the Komodo Dev Team did not know that the attacker was already stealing funds and made the decision to secure vulnerable funds independently. Now, it is very clear that the Komodo team was in a race against the attacker to move all the funds in compromised wallets.
Using the seed phrases stored on the publicly accessible server, the Komodo Dev Team opened the compromised wallets and moved the funds to a secure wallet.
It is important to note that the Komodo Dev Team does not have access to anyone’s private keys, seed phrases, or funds, including Agama wallet users.
The only way that the Komodo Dev Team was able to move users’ funds in this case was by accessing the trove of seed phrases that the attacker’s malicious module had saved.
Approximately 8 Million KMD and 96 BTC are now in a secure wallet being safeguarded by the Komodo Dev Team. All funds will be returned to users once they generate a new, secure wallet, complete the Missing Funds Claim Form, and send a small transaction from the old wallet.
How To Reclaim Your Swept Funds
If you had funds stored in Agama wallet that someone else sent to a different address, the first step is to complete this Missing Funds Claim Form.
The reclaim process will begin with wallets that had less than 7777 KMD in them and are undisputed (meaning that only one missing funds claim was made for that wallet). If you meet these conditions then please read this support guide to learn more about the reclaim process.
The process will be simple and blockchain-based. First, a very small fraction of a KMD coin was sent to all addresses from which funds were swept. This step is already complete.
Second, the rightful owner of that address must access their compromised wallet and send that small amount of KMD to the same destination address specified in the Missing Funds Claim Form. This verifies that the same individual who completes the form is the rightful owner of the funds they are reclaiming.
Finally, the Komodo Team will return all funds moved in the security sweep. The Komodo Dev Team aims to process all of these undisputed refunds of less than 7777 KMD by June 15. Please be patient during this time.
For all other wallets— those with more than 7777 KMD and those for which multiple Missing Funds Claim Forms were completed— more details will follow soon. The Komodo Team aims to have all of these funds returned by June 30.
The Extent of the Losses
In total, the hacker managed to gain control of approximately 1 Million KMD. This is less than one percent of the circulating supply of KMD and roughly 0.5% of the total supply. The total supply of KMD is approximately 200 Million and will be reached around the year 2030.
The Komodo Dev Team is still conducting an analysis of the attack and the Support Team is still gathering information from users about funds that were either swept to a secure address or stolen by the attacker, so detailed plans have not yet been made.
However, it’s important to note that the Komodo team will be doing everything possible to make sure everyone gets all of their funds back. Komodo’s Lead Developer James ‘jl777’ Lee has pledged donate 500,000 KMD from his personal holdings to compensate users who lost their funds in this attack. More details will be released in the coming days.
Keeping the Komodo Ecosystem Secure
In place of Agama wallet, we are releasing a new wallet, AtomicDEX— a hybrid product that is both a multi-coin wallet and a decentralized exchange. AtomicDEX relies on newer, more advanced and more secure technologies.
One important aspect of AtomicDEX’s features is that it only utilizes dependencies that are reviewed by security experts. The new software environment and architecture of AtomicDEX will make security vulnerabilities less likely.
The Komodo team always makes security the highest priority. Our security team is constantly monitoring our network and blockchain activities to ensure the safety of our users.
The Komodo team would like to thank the community for such overwhelming support through this difficult situation. While it is surely frustrating to have funds moved without one’s knowledge or permission, the Komodo community has been extraordinarily patient and understanding. For that, the Komodo team is very grateful.
The Komodo team would also like to thank the Verus Coin team and Verus Coin Developer Michael Filip Toutonghi, who is the Lead Developer for Verus Agama wallet. The Verus Coin team has done an enormous amount of work on their own version of Agama wallet and added several innovative features. The Komodo team would like to thank Verus Coin for all their hard work and for providing such an outstanding alternative product for Komodo community members to use.
The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD.
If you had funds stored in Agama wallet and those funds were moved without your knowledge or permission, please complete this form at your earliest convenience. It is essential that all Agama users who had their funds moved fill out the form.
In the coming days, more updates about this vulnerability and the reclaim process will be published. The Komodo team believes firmly in transparency and will continue to keep the community fully informed. In particular, the Komodo team will soon announce details about the reclaim process for swept wallets that held over 7777 KMD, disputed wallets, and wallets whose funds were stolen.
Thanks again for your continued support.