BSV
$68.93
Vol 140.2m
3.66%
BTC
$97392
Vol 53673.96m
-1.98%
BCH
$502.21
Vol 1809.72m
3.01%
LTC
$97.75
Vol 2747.01m
7.8%
DOGE
$0.41
Vol 24320.1m
4.64%
Getting your Trinity Audio player ready...

A serious vulnerability has been discovered in a cryptocurrency wallet app, putting millions of dollars’ worth of user cryptocurrency at imminent risk of theft. The vulnerability was discovered in the Agama wallet app, which runs on the Komodo platform, during an independent security audit of the code this week.

When alerted to the hack, the Komodo team used the same exploit to take user funds out of compromised accounts and move them to safe storage, a risky tactic that saw them effectively hack their own app to protect users.

The tactic appears to have saved some 96 SegWitCoin (BTC), worth around $13 million, before a hacker stumbled over the funds.

In a post on their blog, Komodo described its response to the attack, and how users affected can reclaim funds removed from their wallets. According to Komodo, “After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker.

“The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details.”

Nevertheless, serious questions will now be asked of the firm and its security setup, with attention turning to the integrity of its other apps.

The backdoor was uncovered by a team at the npm JavaScript package repository, which found a malicious update for the electron-native-notify library.

The team found that the update was in fact a supply chain attack aimed at an alternative target downstream. Agama was using EasyDEX-GUI, which was directly loading the compromised library.

The team responsible for uncovering the attack said the script would collect sensitive information, including passwords, and record them on a remote server, making the subsequent theft a straightforward process.

While Komodo appears to have got off lightly, the firm must now prioritize security to ensure this cannot happen again.

Recommended for you

David Case gets technical with Bitcoin masterclass coding sessions
Whether you're a coding pro or a novice, David Case's livestream sessions on the X platform are not to be...
November 21, 2024
NY Supreme Court’s ruling saves BTC miner Greenidge from closing
However, the judge also ruled that Greenidge must reapply for the permit and that the Department of Environmental Conservation has...
November 20, 2024
Advertisement
Advertisement
Advertisement