Agama Wallet Malicious Upgrade: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/agamawalletmaliciousupgrade.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/agamawalletmaliciousupgrade.php}} | ||
{{Unattributed | {{Unattributed Sources}} | ||
[[File:Agama.jpg|thumb|Agama Wallet]]The Agama Wallet was an online wallet which enabled storage and trading of multiple cryptocurrencies. The wallet used the NPM library, and was contributed by multiple developers. After making multiple useful commits to gain trust, a malicious developer added new code which stored seed phrases on a public server. The next release of the wallet contained the vulnerability. | [[File:Agama.jpg|thumb|Agama Wallet]]The Agama Wallet was an online wallet which enabled storage and trading of multiple cryptocurrencies. The wallet used the NPM library, and was contributed by multiple developers. After making multiple useful commits to gain trust, a malicious developer added new code which stored seed phrases on a public server. The next release of the wallet contained the vulnerability. | ||
| Line 6: | Line 6: | ||
Since the server was public, the Agama Wallet team was able to access the seed phrases and took the funds of all users, making them available for users via their support portal. It appears that the wallet has subsequently been discontinued. It's likely the features were rolled into a new wallet called AtomicDex. | Since the server was public, the Agama Wallet team was able to access the seed phrases and took the funds of all users, making them available for users via their support portal. It appears that the wallet has subsequently been discontinued. It's likely the features were rolled into a new wallet called AtomicDex. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="tripwire-5037" /><ref name="coingeek-5038" /><ref name="supernetorggithub-5039" /><ref name="komodoplatformforum-5040" /><ref name="neironix-5041" /><ref name="bitcoinwiki-5042" /><ref name="cryptocompare-5043" /><ref name="cryptoeconomy-5044" /><ref name="youtube-5045" /><ref name="komodoplatform-5046" /><ref name="komodoplatformarchive-5047" /><ref name="npmjsblogarchive-5048" /><ref name="altcoinbuzz-5049" /><ref name="komodoplatformtwitter-5050" /><ref name="thehackernews-5051" /><ref name="ndtvgadgets-5052" /><ref name="paradigmfundmedium-5053" /><ref name="npmjsblog-5054" /> | ||
<ref name="tripwire-5037" /><ref name="coingeek-5038" /><ref name="supernetorggithub-5039" /><ref name="komodoplatformforum-5040" /><ref name="neironix-5041" /><ref name="bitcoinwiki-5042" /><ref name="cryptocompare-5043" /><ref name="cryptoeconomy-5044" /><ref name="youtube-5045" /><ref name="komodoplatform-5046" /><ref name="komodoplatformarchive-5047" /><ref name="npmjsblogarchive-5048" /><ref name="altcoinbuzz-5049" /><ref name="komodoplatformtwitter-5050" /><ref name="thehackernews-5051" /><ref name="ndtvgadgets-5052" /><ref name="paradigmfundmedium-5053" /><ref name="npmjsblog-5054" /> | |||
== About Agama Wallet == | == About Agama Wallet == | ||
| Line 80: | Line 79: | ||
!Description | !Description | ||
|- | |- | ||
|June 5th, 2019 | |June 5th, 2019 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 88: | Line 87: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 107: | Line 109: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
Given the risk, updates to wallet software should be subject to peer review. | Given the risk, updates to wallet software should be subject to peer review. | ||
Platforms and individuals are best to set up a multi-signature setup with wallets provided by multiple independent supply chains. | Platforms and individuals are best to set up a multi-signature setup with wallets provided by multiple independent supply chains. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
<references><ref name="tripwire-5037">[https://www.tripwire.com/state-of-security/featured/cryptocurrency-wallet-gatehub-hacked/ Cryptocurrency wallet GateHub hacked, nearly $10 million stolen] (Dec | <references><ref name="tripwire-5037">[https://www.tripwire.com/state-of-security/featured/cryptocurrency-wallet-gatehub-hacked/ Cryptocurrency wallet GateHub hacked, nearly $10 million stolen] (Dec 26, 2022)</ref> | ||
<ref name="coingeek-5038">[https://coingeek.com/komodo-hacks-own-agama-wallet-to-protect-user-funds/ Komodo hacks own Agama wallet to protect user funds - CoinGeek] (Dec | <ref name="coingeek-5038">[https://coingeek.com/komodo-hacks-own-agama-wallet-to-protect-user-funds/ Komodo hacks own Agama wallet to protect user funds - CoinGeek] (Dec 31, 2022)</ref> | ||
<ref name="supernetorggithub-5039">[https://github.com/SuperNETorg/Agama GitHub - SuperNETorg/Agama: Please use http://github.com/komodoplatform/agama] (Dec | <ref name="supernetorggithub-5039">[https://github.com/SuperNETorg/Agama GitHub - SuperNETorg/Agama: Please use http://github.com/komodoplatform/agama] (Dec 31, 2022)</ref> | ||
<ref name="komodoplatformforum-5040">[https://forum.komodoplatform.com/t/agama-security-announcement/429 Agama security announcement - Guides - KomodoPlatform Community Forum] (Dec | <ref name="komodoplatformforum-5040">[https://forum.komodoplatform.com/t/agama-security-announcement/429 Agama security announcement - Guides - KomodoPlatform Community Forum] (Dec 31, 2022)</ref> | ||
<ref name="neironix-5041">[https://neironix.io/wallets/agama Agama | Wallets | Neironix] (Dec | <ref name="neironix-5041">[https://neironix.io/wallets/agama Agama | Wallets | Neironix] (Dec 31, 2022)</ref> | ||
<ref name="bitcoinwiki-5042">[https://en.bitcoinwiki.org/wiki/Agama Agama - BitcoinWiki] (Dec | <ref name="bitcoinwiki-5042">[https://en.bitcoinwiki.org/wiki/Agama Agama - BitcoinWiki] (Dec 31, 2022)</ref> | ||
<ref name="cryptocompare-5043">[https://www.cryptocompare.com/wallets/agama/ Agama Wallet - Reviews and Features | CryptoCompare.com] (Dec | <ref name="cryptocompare-5043">[https://www.cryptocompare.com/wallets/agama/ Agama Wallet - Reviews and Features | CryptoCompare.com] (Dec 31, 2022)</ref> | ||
<ref name="cryptoeconomy-5044">[https://crypto-economy.com/agama-wallet/ Agama Wallet, a multi-wallet for the entire Komodo ecosystem - Crypto Economy] (Dec | <ref name="cryptoeconomy-5044">[https://crypto-economy.com/agama-wallet/ Agama Wallet, a multi-wallet for the entire Komodo ecosystem - Crypto Economy] (Dec 31, 2022)</ref> | ||
<ref name="youtube-5045">[https://www.youtube.com/watch?v=dOwgnKQbhf4 Agama Wallet: How to create a wallet and encrypt seed locally with a password - YouTube] (Dec | <ref name="youtube-5045">[https://www.youtube.com/watch?v=dOwgnKQbhf4 Agama Wallet: How to create a wallet and encrypt seed locally with a password - YouTube] (Dec 31, 2022)</ref> | ||
<ref name="komodoplatform-5046">[https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/ https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/] (Dec | <ref name="komodoplatform-5046">[https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/ https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/] (Dec 31, 2022)</ref> | ||
<ref name="komodoplatformarchive-5047">[https://web.archive.org/web/20190624121724/https://komodoplatform.com/update-agama-vulnerability/ Update Regarding Vulnerability Discovered in Komodo's Agama Wallet] (Dec | <ref name="komodoplatformarchive-5047">[https://web.archive.org/web/20190624121724/https://komodoplatform.com/update-agama-vulnerability/ Update Regarding Vulnerability Discovered in Komodo's Agama Wallet] (Dec 31, 2022)</ref> | ||
<ref name="npmjsblogarchive-5048">[https://web.archive.org/web/20190624121723/https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm The npm Blog — Plot to steal cryptocurrency foiled by the npm...] (Dec | <ref name="npmjsblogarchive-5048">[https://web.archive.org/web/20190624121723/https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm The npm Blog — Plot to steal cryptocurrency foiled by the npm...] (Dec 31, 2022)</ref> | ||
<ref name="altcoinbuzz-5049">[https://www.altcoinbuzz.io/cryptocurrency-news/serious-vulnerability-found-in-komodos-agama-wallet-move-funds-to-a-safe-wallet-immediately/ https://www.altcoinbuzz.io/cryptocurrency-news/serious-vulnerability-found-in-komodos-agama-wallet-move-funds-to-a-safe-wallet-immediately/] (Dec | <ref name="altcoinbuzz-5049">[https://www.altcoinbuzz.io/cryptocurrency-news/serious-vulnerability-found-in-komodos-agama-wallet-move-funds-to-a-safe-wallet-immediately/ https://www.altcoinbuzz.io/cryptocurrency-news/serious-vulnerability-found-in-komodos-agama-wallet-move-funds-to-a-safe-wallet-immediately/] (Dec 31, 2022)</ref> | ||
<ref name="komodoplatformtwitter-5050">[https://twitter.com/KomodoPlatform/status/1136169195173892098 @KomodoPlatform Twitter] (Dec | <ref name="komodoplatformtwitter-5050">[https://twitter.com/KomodoPlatform/status/1136169195173892098 @KomodoPlatform Twitter] (Dec 31, 2022)</ref> | ||
<ref name="thehackernews-5051">[https://thehackernews.com/2019/06/komodo-agama-wallet-hacking.html Cryptocurrency Firm Itself Hacked Its Customers to Protect Their Funds From Hackers] (Dec | <ref name="thehackernews-5051">[https://thehackernews.com/2019/06/komodo-agama-wallet-hacking.html Cryptocurrency Firm Itself Hacked Its Customers to Protect Their Funds From Hackers] (Dec 31, 2022)</ref> | ||
<ref name="ndtvgadgets-5052">[https://gadgets.ndtv.com/internet/news/komodo-agama-wallet-hack-13-million-kmd-btc-2049567 Crypto Startup Hacks Itself to Save $13 Million in Users’ Cryptocurrency | Technology News] (Dec | <ref name="ndtvgadgets-5052">[https://gadgets.ndtv.com/internet/news/komodo-agama-wallet-hack-13-million-kmd-btc-2049567 Crypto Startup Hacks Itself to Save $13 Million in Users’ Cryptocurrency | Technology News] (Dec 31, 2022)</ref> | ||
<ref name="paradigmfundmedium-5053">[https://medium.com/paradigm-fund/komodo-vulnerability-recently-discovered-in-komodos-agama-wallet-be6603688127 Komodo Vulnerability Recently Discovered In Komodos Agama Wallet] (Dec | <ref name="paradigmfundmedium-5053">[https://medium.com/paradigm-fund/komodo-vulnerability-recently-discovered-in-komodos-agama-wallet-be6603688127 Komodo Vulnerability Recently Discovered In Komodos Agama Wallet] (Dec 31, 2022)</ref> | ||
<ref name="npmjsblog-5054">[https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm.html npm Blog Archive: Plot to steal cryptocurrency foiled by the npm security team] (Dec | <ref name="npmjsblog-5054">[https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm.html npm Blog Archive: Plot to steal cryptocurrency foiled by the npm security team] (Dec 31, 2022)</ref></references> | ||
Latest revision as of 13:20, 1 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Agama Wallet was an online wallet which enabled storage and trading of multiple cryptocurrencies. The wallet used the NPM library, and was contributed by multiple developers. After making multiple useful commits to gain trust, a malicious developer added new code which stored seed phrases on a public server. The next release of the wallet contained the vulnerability.
Since the server was public, the Agama Wallet team was able to access the seed phrases and took the funds of all users, making them available for users via their support portal. It appears that the wallet has subsequently been discontinued. It's likely the features were rolled into a new wallet called AtomicDex.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]
About Agama Wallet
"Agama is a wallet combining a desktop and mobile interface, orientated to the Komodo coin. It’s a SuperNet project, launched in 2017, which currently supports 16 cryptocurrencies. It has an open source code, readable and editable by everyone interested to implement modifications or simply check out the idea behind the project. Between its multiple features, you can observe the atomic swaps, integrated thanks to the decentralized exchange platform of Agama wallet. What’s more – you can choose between 3 different security modes when operating with your coins." "Founded at: 27 Aug 2016"
"Agama possesses a rare peer-to-peer option to trade via atomic swaps in 3 levels: Basilisk, Full or Native. The first one aims to be a light node, so you’re not supposed to download the entire blockchain, unfortunately it’s considered the slowest option. The second one is faster, but it’s up to store the public ledger’s data. When it comes to the Native mode, it offers some advanced features, compared to the Full option but it’s restricted only to several coins."
"Users can choose between Full, Basilisk and Native modes and they can use multiple currencies like Bitcoin, Komodo or Zcash, among many others. The multiwallet allows users to have and use multiple cryptocurrencies while allowing themto choose how they want to handle their security." "The Agama wallet is still being developed and it will contain additional tools like DEX, a decentralized liquid exchange for cryptocurrencies and PAX, a pegged asset exchange for fiat currency tokens. The coin exchange will use 'atomic swaps', which means the coins are exchanged peer to peer."
"On Wednesday the 5th of June, the Komodo team was made aware of an issue with the Agama wallet that potentially put some user’s funds at risk." "The vulnerability was discovered in the Agama wallet app, which runs on the Komodo platform, during an independent security audit of the code." "Details and a timeline of events will be published once the necessary steps have been taken to secure funds and fix the problem."
"The backdoor was uncovered by a team at the npm JavaScript package repository, which found a malicious update for the electron-native-notify library." "The team found that the update was in fact a supply chain attack aimed at an alternative target downstream. Agama was using EasyDEX-GUI, which was directly loading the compromised library." "The team responsible for uncovering the attack said the script would collect sensitive information, including passwords, and record them on a remote server, making the subsequent theft a straightforward process."
"Komodo’s version of Agama wallet was using a Node.js module that contained malicious code. The infected module was collecting user seed phrases and storing them on a publicly accessible server. Please read this post on the npm blog for more details about the malicious code and how it was inserted. Please note that only Komodo’s version of Agama wallet was affected. Verus Coin, a project within the Komodo ecosystem that maintains a distinct version of Agama, was not affected by this vulnerability."
"It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using."
"The update contained malicious code that stored all seed phrases on a public server. The hacker saved the seed phrases on a public server to obscure his/her identity and to create a scenario where anyone could be a suspect when the vulnerability was finally exploited."
"The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify ^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet). The next version of electron-native-notify was published 15 days later and was the first version to include a malicious payload. Following that Agama version v0.3.5 was released on Apr 13."
"After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details."
"The only way that the Komodo Dev Team was able to move users’ funds in this case was by accessing the trove of seed phrases that the attacker’s malicious module had saved."
"When alerted to the hack, the Komodo team used the same exploit to take user funds out of compromised accounts and move them to safe storage, a risky tactic that saw them effectively hack their own app to protect users."
"The tactic appears to have saved some 96 SegWitCoin (BTC), worth around $13 million, before a hacker stumbled over the funds."
"The Komodo blockchain platform revealed this week that its Agama cryptocurrency wallet app had been targeted by hackers. Hackers attempted to implant malicious code into the Agama app’s build chain with the intention of stealing wallet seeds and login passphrases."
“After discovering the vulnerability, our cybersecurity team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk,” said Komodo in a blog post. “We were able to sweep around 8 million KMD (US $12.5 million) and 96 BTC (US $765,000) from these vulnerable wallets, which otherwise would have been easy pickings for the attacker.”
"If you have used Agama, we strongly recommend moving all funds :warning: :warning: :warning: (Komodo, assetchains and other coins linked to the same seed / private key) to a new address as soon as possible."
"Once again cryptocurrency investors might be wise to consider whether it is wise to store large amounts of digital currency in online wallets."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| June 5th, 2019 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $13,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Given the risk, updates to wallet software should be subject to peer review.
Platforms and individuals are best to set up a multi-signature setup with wallets provided by multiple independent supply chains.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Cryptocurrency wallet GateHub hacked, nearly $10 million stolen (Dec 26, 2022)
- ↑ Komodo hacks own Agama wallet to protect user funds - CoinGeek (Dec 31, 2022)
- ↑ GitHub - SuperNETorg/Agama: Please use http://github.com/komodoplatform/agama (Dec 31, 2022)
- ↑ Agama security announcement - Guides - KomodoPlatform Community Forum (Dec 31, 2022)
- ↑ Agama | Wallets | Neironix (Dec 31, 2022)
- ↑ Agama - BitcoinWiki (Dec 31, 2022)
- ↑ Agama Wallet - Reviews and Features | CryptoCompare.com (Dec 31, 2022)
- ↑ Agama Wallet, a multi-wallet for the entire Komodo ecosystem - Crypto Economy (Dec 31, 2022)
- ↑ Agama Wallet: How to create a wallet and encrypt seed locally with a password - YouTube (Dec 31, 2022)
- ↑ https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/ (Dec 31, 2022)
- ↑ Update Regarding Vulnerability Discovered in Komodo's Agama Wallet (Dec 31, 2022)
- ↑ The npm Blog — Plot to steal cryptocurrency foiled by the npm... (Dec 31, 2022)
- ↑ https://www.altcoinbuzz.io/cryptocurrency-news/serious-vulnerability-found-in-komodos-agama-wallet-move-funds-to-a-safe-wallet-immediately/ (Dec 31, 2022)
- ↑ @KomodoPlatform Twitter (Dec 31, 2022)
- ↑ Cryptocurrency Firm Itself Hacked Its Customers to Protect Their Funds From Hackers (Dec 31, 2022)
- ↑ Crypto Startup Hacks Itself to Save $13 Million in Users’ Cryptocurrency | Technology News (Dec 31, 2022)
- ↑ Komodo Vulnerability Recently Discovered In Komodos Agama Wallet (Dec 31, 2022)
- ↑ npm Blog Archive: Plot to steal cryptocurrency foiled by the npm security team (Dec 31, 2022)