BSV
$56.54
Vol 36.75m
3.62%
BTC
$94447
Vol 55937.23m
-1.39%
BCH
$465.24
Vol 314.56m
5.12%
LTC
$107.21
Vol 809.05m
4.55%
DOGE
$0.32
Vol 3520.52m
2.49%
Getting your Trinity Audio player ready...

A serious vulnerability has been discovered in a cryptocurrency wallet app, putting millions of dollars’ worth of user cryptocurrency at imminent risk of theft. The vulnerability was discovered in the Agama wallet app, which runs on the Komodo platform, during an independent security audit of the code this week.

When alerted to the hack, the Komodo team used the same exploit to take user funds out of compromised accounts and move them to safe storage, a risky tactic that saw them effectively hack their own app to protect users.

The tactic appears to have saved some 96 SegWitCoin (BTC), worth around $13 million, before a hacker stumbled over the funds.

In a post on their blog, Komodo described its response to the attack, and how users affected can reclaim funds removed from their wallets. According to Komodo, “After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker.

“The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details.”

Nevertheless, serious questions will now be asked of the firm and its security setup, with attention turning to the integrity of its other apps.

The backdoor was uncovered by a team at the npm JavaScript package repository, which found a malicious update for the electron-native-notify library.

The team found that the update was in fact a supply chain attack aimed at an alternative target downstream. Agama was using EasyDEX-GUI, which was directly loading the compromised library.

The team responsible for uncovering the attack said the script would collect sensitive information, including passwords, and record them on a remote server, making the subsequent theft a straightforward process.

While Komodo appears to have got off lightly, the firm must now prioritize security to ensure this cannot happen again.

Recommended for you

Google unveils ‘Willow’; Bernstein downplays quantum threat to Bitcoin
Google claims that Willow can eliminate common errors associated with quantum computing, while Bernstein analysts noted that Willow’s 105 qubits...
December 18, 2024
WhatsOnChain adds support for 1Sat Ordinals with new API set
WhatsOnChain now supports the 1Sat Ordinals with a set of APIs in beta testing; with this new development, developers can...
December 13, 2024
Advertisement
Advertisement
Advertisement