QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$13 000 000 USD
JUNE 2019
GLOBAL
AGAMA WALLET
DESCRIPTION OF EVENTS
"Agama is a wallet combining a desktop and mobile interface, orientated to the Komodo coin. It’s a SuperNet project, launched in 2017, which currently supports 16 cryptocurrencies. It has an open source code, readable and editable by everyone interested to implement modifications or simply check out the idea behind the project. Between its multiple features, you can observe the atomic swaps, integrated thanks to the decentralized exchange platform of Agama wallet. What’s more – you can choose between 3 different security modes when operating with your coins." "Founded at: 27 Aug 2016"
"Agama possesses a rare peer-to-peer option to trade via atomic swaps in 3 levels: Basilisk, Full or Native. The first one aims to be a light node, so you’re not supposed to download the entire blockchain, unfortunately it’s considered the slowest option. The second one is faster, but it’s up to store the public ledger’s data. When it comes to the Native mode, it offers some advanced features, compared to the Full option but it’s restricted only to several coins."
"Users can choose between Full, Basilisk and Native modes and they can use multiple currencies like Bitcoin, Komodo or Zcash, among many others. The multiwallet allows users to have and use multiple cryptocurrencies while allowing themto choose how they want to handle their security." "The Agama wallet is still being developed and it will contain additional tools like DEX, a decentralized liquid exchange for cryptocurrencies and PAX, a pegged asset exchange for fiat currency tokens. The coin exchange will use 'atomic swaps', which means the coins are exchanged peer to peer."
"On Wednesday the 5th of June, the Komodo team was made aware of an issue with the Agama wallet that potentially put some user’s funds at risk." "The vulnerability was discovered in the Agama wallet app, which runs on the Komodo platform, during an independent security audit of the code." "Details and a timeline of events will be published once the necessary steps have been taken to secure funds and fix the problem."
"The backdoor was uncovered by a team at the npm JavaScript package repository, which found a malicious update for the electron-native-notify library." "The team found that the update was in fact a supply chain attack aimed at an alternative target downstream. Agama was using EasyDEX-GUI, which was directly loading the compromised library." "The team responsible for uncovering the attack said the script would collect sensitive information, including passwords, and record them on a remote server, making the subsequent theft a straightforward process."
"Komodo’s version of Agama wallet was using a Node.js module that contained malicious code. The infected module was collecting user seed phrases and storing them on a publicly accessible server. Please read this post on the npm blog for more details about the malicious code and how it was inserted. Please note that only Komodo’s version of Agama wallet was affected. Verus Coin, a project within the Komodo ecosystem that maintains a distinct version of Agama, was not affected by this vulnerability."
"It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using."
"The update contained malicious code that stored all seed phrases on a public server. The hacker saved the seed phrases on a public server to obscure his/her identity and to create a scenario where anyone could be a suspect when the vulnerability was finally exploited."
"The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify ^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet). The next version of electron-native-notify was published 15 days later and was the first version to include a malicious payload. Following that Agama version v0.3.5 was released on Apr 13."
"After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details."
"The only way that the Komodo Dev Team was able to move users’ funds in this case was by accessing the trove of seed phrases that the attacker’s malicious module had saved."
"When alerted to the hack, the Komodo team used the same exploit to take user funds out of compromised accounts and move them to safe storage, a risky tactic that saw them effectively hack their own app to protect users."
"The tactic appears to have saved some 96 SegWitCoin (BTC), worth around $13 million, before a hacker stumbled over the funds."
"The Komodo blockchain platform revealed this week that its Agama cryptocurrency wallet app had been targeted by hackers. Hackers attempted to implant malicious code into the Agama app’s build chain with the intention of stealing wallet seeds and login passphrases."
“After discovering the vulnerability, our cybersecurity team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk,” said Komodo in a blog post. “We were able to sweep around 8 million KMD (US $12.5 million) and 96 BTC (US $765,000) from these vulnerable wallets, which otherwise would have been easy pickings for the attacker.”
"If you have used Agama, we strongly recommend moving all funds :warning: :warning: :warning: (Komodo, assetchains and other coins linked to the same seed / private key) to a new address as soon as possible."
"Once again cryptocurrency investors might be wise to consider whether it is wise to store large amounts of digital currency in online wallets."
The Agama Wallet was an online wallet which enabled storage and trading of multiple cryptocurrencies. The wallet used the NPM library, and was contributed by multiple developers. After making multiple useful commits to gain trust, a malicious developer added new code which stored seed phrases on a public server. The next release of the wallet contained the vulnerability.
Since the server was public, the Agama Wallet team was able to access the seed phrases and took the funds of all users, making them available for users via their support portal. It appears that the wallet has subsequently been discontinued. It's likely the features were rolled into a new wallet called AtomicDex.
HOW COULD THIS HAVE BEEN PREVENTED?
Given the risk, updates to wallet software should be subject to peer review.
Platforms and individuals are best to set up a multi-signature setup with wallets provided by multiple independent supply chains.
Cryptocurrency wallet GateHub hacked, nearly $10 million stolen (Dec 26)
Komodo hacks own Agama wallet to protect user funds - CoinGeek (Dec 31)
GitHub - SuperNETorg/Agama: Please use http://github.com/komodoplatform/agama (Dec 31)
Agama security announcement - Guides - KomodoPlatform Community Forum (Dec 31)
Agama | Wallets | Neironix (Dec 31)
Agama - BitcoinWiki (Dec 31)
Agama Wallet - Reviews and Features | CryptoCompare.com (Dec 31)
Agama Wallet, a multi-wallet for the entire Komodo ecosystem - Crypto Economy (Dec 31)
Agama Wallet: How to create a wallet and encrypt seed locally with a password - YouTube (Dec 31)
https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/ (Dec 31)
Update Regarding Vulnerability Discovered in Komodo's Agama Wallet (Dec 31)
The npm Blog — Plot to steal cryptocurrency foiled by the npm... (Dec 31)
https://www.altcoinbuzz.io/cryptocurrency-news/serious-vulnerability-found-in-komodos-agama-wallet-move-funds-to-a-safe-wallet-immediately/ (Dec 31)
@KomodoPlatform Twitter (Dec 31)
Cryptocurrency Firm Itself Hacked Its Customers to Protect Their Funds From Hackers (Dec 31)
Crypto Startup Hacks Itself to Save $13 Million in Users’ Cryptocurrency | Technology News (Dec 31)
Komodo Vulnerability Recently Discovered In Komodos Agama Wallet (Dec 31)
npm Blog Archive: Plot to steal cryptocurrency foiled by the npm security team (Dec 31)
