In an official statement, Komodo revealed that they were made aware of a serious vulnerability with one of the libraries used by the Agama wallet, potentially putting some user funds at risk. To mitigate the situation, Komodo’s Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. 8 million KMD and 96 BTC were retrieved from the vulnerable wallets.
Today, we were made aware of a vulnerability in a library used by the Agama wallet, potentially putting some users' funds at risk. We are working on a fix. We strongly recommend moving all funds from Agama ASAP. See our announcement for details:https://t.co/VKXLYGBsgZ
— Komodo (@KomodoPlatform) June 5, 2019
The Verus version of Agama wallet is not affected by this vulnerability and is still completely secure.
The npm, Inc security team, who worked with Komodo, threw more light on the situation, citing a malware threat. This attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application. The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.
What will a user do now?
Move funds: Komodo recommends to move all funds (Komodo, asset chains and other coins linked to the same seed / private key) to a new address as soon as possible. A user guide is provided here.
Reclaim lost fund: The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. Refer to the above user guide.
- Komodo founder, James Lee (JL777), has offered 500k KMD from his personal holdings
- One of Komodo’s newest ecosystem partners has also offered help (details will be disclosed later).
As always, we will suggest moving your funds to a hardware wallet, the safest way of storing crypto.