By CCN: Better the thief you know than the one you don’t. Cryptocurrency platform Komodo has had to hack its users after discovering a serious security flaw in one of its wallets.
According to a press statement by the blockchain startup, Komodo’s cybersecurity team was able to ‘sweep’ in and retrieve 8 million Komodo coins (KMD) and 96 Bitcoin before hackers got hold of the exposed loot. An estimated $13 million worth of cryptocurrency was saved in the process.
A video on YouTube reveals how bad actors could have potentially gained access to Komodo users’ private keys:
Funds are Safe and Sound But Still Centralized
The Komodo team has moved all funds to two company-owned wallets in the meantime:
Owners can claim them back in the coming weeks as the details are ironed out. Komodo urged affected users to get in touch via their Discord channel:
The team also encouraged all users of their Agama wallets to transfer funds to a new address just as a safety precaution.
The unusual nature of this defense worked this time around but it does raise questions about the so-called ‘decentralized’ nature of cryptocurrency. In cases of disputes or fraud like above should someone step in to regulate a nascent industry like crypto?
Open-Source is a Double-Edged Sword for Cryptocurrency
The security flaw was ultimately discovered by auditors from npm, a package manager for Javascript. Unfortunately, this kind of attack is becoming more commonplace as hackers look for more creative ways to steal crypto.
The attack was carried out by using a pattern that is becoming more and more popular; publishing a ‘useful’ package to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.
The philosophy of open-source has spawned popular software like Linux, WordPress, and Firefox but has also come at a real cost to security. As remote working continues to grow, there is a serious need to audit developers, some of whom are half-way around the world.
Essentially we hacked the hacker, but he is very patient. He spent months acting as a normal contributor…
Komodo unwittingly included the compromised Javascript library into their Agama wallet, however, not all versions were affected.
Komodo Hacks Its Users But KMD Remains Unaffected
KMD has had a fairly muted reaction in the market since the announcement suggesting the company plugged the hole before hackers could do any serious damage.
Cryptocurrency enthusiasts will no doubt be hoping that this is the first and only time a project will need to hack its users to keep their funds safe.