Komodo: Vulnerability Recently Discovered In Komodo’s Agama Wallet

Biweekly update 7th June— 21st June

Attention: If you had funds stored in Komodo’s Agama wallet and those funds were moved without your knowledge or permission, please complete this form at your earliest convenience. Please note you will need to fill a separate form for each asset. It is essential that all Agama users who had their funds moved fill out the form.

The headline of Komodo is the recently found vulnerability in Wallet App which could allow an intruder to steal KMD coins. This incident has become so exciting that even CryptoBriefing has published the interview which provides us through thoughts of Lead Developer about the last attack. It seems that the community gets interested in Discord. It can be related to the last hack attack since Discord is the place used to communicate with developers in the crypto world and all users were able to know all actual news about solving the problem. Unfortunately, the development team has been sickened by this proceeding, so the full force of the company was aimed to overcoming the mistakes. Only one article, which is published by Komodo and does not refer to the accident, is the introduction in Antara, an end-to-end framework to develop and deploy Komodo-based Smart Chains. We are watching closely and are counting on a positive resolution of this problem. Certainly, we express our appreciation for taking all measures necessary to warn the users and prevent hacker’s attack.

Development

GitHub

Developer activity (from Coinlib.io)

Update Regarding Vulnerability Recently Discovered In Komodo’s Agama Wallet

On June 4, 2019 at approximately 5pm UTC, the Komodo team received a private notification from npm (Node Package Manager, a popular tool to include external Node.js libraries into any project) about a vulnerability in one of the upstream libraries Komodo’s Agama wallet was using.

If you had funds stored in Komodo’s Agama wallet and those funds were moved without your knowledge or permission, please complete this form at your earliest convenience. Please note you will need to fill a separate form for each asset. It is essential that all Agama users who had their funds moved fill out the form.

• An Overview Of The Vulnerability

Komodo’s version of Agama wallet was using a Node.js module that contained malicious code. The infected module was collecting user seed phrases and storing them on a publicly accessible server. Please read this post on the npm blog for more details about the malicious code and how it was inserted.

Please note that only Komodo’s version of Agama wallet was affected. Verus Coin, a project within the Komodo ecosystem that maintains a distinct version of Agama, was not affected by this vulnerability.

The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD. Verus Coin supports a number of ecosystem coins, including KMD, VRSC, and ARRR, as well as BTC, ETH, and other major digital assets.

It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.

The update contained malicious code that stored all seed phrases on a public server. The hacker saved the seed phrases on a public server to obscure his/her identity and to create a scenario where anyone could be a suspect when the vulnerability was finally exploited.

• Understanding The Vulnerability

The KMD blockchain was not affected in any way. There is no vulnerability with the KMD blockchain or any other blockchain launched with Komodo’s technology. There is absolutely no need for a rollback or a hard fork. It’s crucial to understand that this was not a 51% attack or any other kind of attack on the KMD chain.

Rather, it was a security vulnerability in an external module that the code base of Agama wallet depended upon. The Komodo Team was made aware of the vulnerability and took immediate action to protect user funds and eliminate the threat.

In addition, only Komodo’s version of Agama was affected. The Verus Agama wallet is completely secure and one of the recommended wallets in which to store your KMD.

• Komodo’s Response To The Vulnerability

Once the Komodo Dev Team learned that users’ seed phrases were being exported from Komodo’s Agama and catalogued, the decision was made to exploit the bug before a bad actor could do so.

After review, it seems the attacker had started emptying wallets before the Komodo Dev Team jumped into action. At the time, the Komodo Dev Team did not know that the attacker was already stealing funds and made the decision to secure vulnerable funds independently. Now, it is very clear that the Komodo team was in a race against the attacker to move all the funds in compromised wallets.

Using the seed phrases stored on the publicly accessible server, the Komodo Dev Team opened the compromised wallets and moved the funds to a secure wallet.

It is important to note that the Komodo Dev Team does not have access to anyone’s private keys, seed phrases, or funds, including Agama wallet users.

The only way that the Komodo Dev Team was able to move users’ funds in this case was by accessing the trove of seed phrases that the attacker’s malicious module had saved.

Approximately 8 Million KMD and 96 BTC are now in a secure wallet being safeguarded by the Komodo Dev Team. All funds will be returned to users once they generate a new, secure wallet, complete the Missing Funds Claim Form, and send a small transaction from the old wallet.

• How To Reclaim Your Swept Funds

If you had funds stored in Agama wallet that someone else sent to a different address, the first step is to complete this Missing Funds Claim Form.

The reclaim process will begin with wallets that had less than 7777 KMD in them and are undisputed (meaning that only one missing funds claim was made for that wallet). If you meet these conditions then please read this support guide to learn more about the reclaim process.

The process will be simple and blockchain-based. First, a very small fraction of a KMD coin was sent to all addresses from which funds were swept. This step is already complete.

Second, the rightful owner of that address must access their compromised wallet and send that small amount of KMD to the same destination address specified in the Missing Funds Claim Form. This verifies that the same individual who completes the form is the rightful owner of the funds they are reclaiming.

Finally, the Komodo Team will return all funds moved in the security sweep. The Komodo Dev Team aims to process all of these undisputed refunds of less than 7777 KMD by June 15. Please be patient during this time.

For all other wallets — those with more than 7777 KMD and those for which multiple Missing Funds Claim Forms were completed — more details will follow soon. The Komodo Team aims to have all of these funds returned by June 30.

• The Extent Of The Losses

In total, the hacker managed to gain control of approximately 1 Million KMD. This is less than one percent of the circulating supply of KMD and roughly 0.5% of the total supply. The total supply of KMD is approximately 200 Million and will be reached around the year 2030.

The Komodo Dev Team is still conducting an analysis of the attack and the Support Team is still gathering information from users about funds that were either swept to a secure address or stolen by the attacker, so detailed plans have not yet been made.

However, it’s important to note that the Komodo team will be doing everything possible to make sure everyone gets all of their funds back. Komodo’s Lead Developer James ‘jl777’ Lee has pledged donate 500,000 KMD from his personal holdings to compensate users who lost their funds in this attack. More details will be released in the coming days.

• Keeping The Komodo Ecosystem Secure

In place of Agama wallet, we are releasing a new wallet, AtomicDEX — a hybrid product that is both a multi-coin wallet and a decentralized exchange. AtomicDEX relies on newer, more advanced and more secure technologies.

One important aspect of AtomicDEX’s features is that it only utilizes dependencies that are reviewed by security experts. The new software environment and architecture of AtomicDEX will make security vulnerabilities less likely.

The Komodo team always makes security the highest priority. Our security team is constantly monitoring our network and blockchain activities to ensure the safety of our users.

New tutorials:

• How To Give Free Coins To Users In A Multi-Chain Architecture

In the wake of the Komodo cybersecurity team sweeping compromised addresses, the first round of funds reclamation via blockchain rules is already being fulfilled. A scheme to verify ownership of stolen keys uses on-chain & off-chain methods for reconciling data through this quick resolution through the support desk. This effective use of blockchain has enabled a community project to efficiently process claims.

The bespoke blockchain reclamation solution of distributing funds to users is a real world example of effective and efficient processing of business logic on a blockchain. The quick resolution has not been fully blockchain enabled and uses off-chain & manual verification. There are two reasons for this: there is a time of centralized control of funds & no designated time for full end to end blockchain testing.

The aforementioned quick resolution to funds reclamations is an example of a future multi-chain credit or refund system that can be integrated with an on-chain payments and disbursements module.

The rest of the article is using the templated blockchain solutions to give free coins to users which uses only the blockchain, and only native code for fast processing.

Example Interoperable Smart Chains Using Antara Rewards & Antara Faucet (With ROGUE gameplay in the middle of the green chain)

Full article can be found here.

Social encounters

Komodo Evolution Towards a Multi-Chain Future: Introducing Antara Framework and Smart Chains

Komodo technology has been rapidly evolving during the past years and we are no longer the same project. Komodo has launched an ‘evolution campaign’ to start introducing the new Komodo terminology and product offerings. Its most important new product in the making is Antara: an end-to-end framework to develop and deploy Komodo-based Smart Chains. Smart Chains are sovereign and purpose-built but interoperable; together they form a multi-chain ecosystem.

• Antara Smart Chains

Antara Smart Chains are composable: fully customizable and modular, and each one can be created to perfectly fit any specific use case. Smart Chains have their own consensus rules, their own decentralized network, and currency. Antara Smart Chains are fully autonomous.

• Antara Modules

Smart Chains come with a built-in library of powerful modules like decentralized trustless oracles, on-demand algorithmic stablecoins, and payment channels. These can be activated in any combination.

Permissionless Innovation: The Foundation For A Thriving Blockchain Ecosystem

The boom of proprietary platforms has led to the centralization of the Internet. Such platforms go against the open source ethos, and tend to lock-in both users and developers under the arbitrary constraints and whims of the platform’s owners.

The Internet should remain equally accessible to entrepreneurs, developers, and other independent creators. Blockchain technology has promised to reverse this trend and provide us with the necessary tools and technologies to build a truly open Internet ecosystem. However, many of the blockchain platforms have partly fallen to the same gated-garden mentality. How can we do better?

• The Rise Of Closed Platforms

Internet might be open at its core, but it has become increasingly centralized. Most modern platforms are closed-source and heavily guarded from competition. To a degree, the Internet today is a group of gated communities, which remain isolated from each other.

That is not how the Internet was envisioned decades ago, as described by Chris Dixon in his wired.com article:

As the Internet has evolved over its 35-year lifespan, control over its most important services has gradually shifted from open source protocols maintained by non-profit communities to proprietary services operated by large tech companies. As a result, billions of people got access to amazing, free technologies. But that shift also created serious problems.

Why did this happen? In short, the Internet lacked the technologies necessary to enable a fully decentralized and open environment. This gave proprietary platforms an edge that allowed them to act as a trusted middlemen and take control of the Internet itself.

After the launch of Bitcoin and the underlying blockchain technology, a new hope was born. For the first time, the open source community had all the necessary tools to realize the vision of a truly open Internet– a vision also known as Web 3.0. Still, blockchain technology has a long way to go.

The key to building an open ecosystem is a concept we call permissionless innovation. In essence, it means that an entrepreneur can build atop an open-source platform without permission from or payment to those who developed the platform itself. It means never having to worry about the terms and conditions of building on a particular platform suddenly changing, thus disabling an entrepreneur’s technology and business.

• Blockchain Technology As The Solution

Blockchain combines the societal benefits of open protocols with the financial and architectural benefits of proprietary networks. The result is an open ecosystem without silos, barriers, or other arbitrary limitations; an ecosystem that will eventually make the currently dominant gated-garden business model obsolete.

What then are the key technologies that blockchain has to offer? To name a few: decentralized identity and user authentication, cross-platform interoperability, shared user base, provable history, immutability, and of course trustless value exchange and other financial services.

This vision is becoming increasingly popular as the blockchain industry matures. Already, we are seeing an evolution from smart contract platforms to multi-chain platforms. Now, there are a dozen platforms competing to provide the infrastructure layer for the next few decades, Komodo being one of them.

All blockchain platforms are permissionless to a degree. All of them are a giant upgrade to the existing, server-client models. However, there are also crucial differences, and we believe the solution that provides the most sovereignty will emerge as the winner.

Sovereignty clearly sets Komodo apart from all the others, but it’s not just about the technology. The values on open source and decentralization are in Komodo’s DNA. We have embraced the concept of permissionless innovation and are looking to build a superior solution without any arbitrary limitations.

• Permissionless Innovation Through Multi-Chain Architecture

You might think that preventing projects from using a platform is not a limitation, rather a useful feature. After all, who would like to see the technology used by bad actors and criminals? Wouldn’t it be better if we reserve the right to block them?

The problem is that if someone holds the keys to change the underlying architecture, they inevitably will. This might mean excessive censorship or it might mean designing economic models to enrich the platform owners. It might take 10 years or 30 years but eventually the rules will be twisted to serve special interests.

Simply put, if an ecosystem is worth billions of dollars, a few very small changes can turn it into a money making machine serving a just a few people. What was envisioned to remain open would eventually become a walled garden where the established players want to protect themselves from future competition and are appealing to the platform authorities to push through a set of changes that they have outlined. Before we know it, we all find ourselves using a platform that is no longer open.

It is vitally important that the future Internet’s platforms and ecosystems are based on architecture no one controls entirely. We have to build an open source future that guarantees to maintain the values of openness and accessibility, and this is why we believe sovereign blockchains are the superior solution.

We vision a world where millions of interconnected sovereign blockchains work together. Together they create a globally interconnected ecosystem, but each project remains in full control of its tech stack. It is a platform that anyone can extend and contribute to, a platform that is open source and welcomes community contributions. We call this an open platform.

• Characteristics Of An Open Platform

We have sought to build an open platform with a vision of an industry where projects collaborate together to build the next generation of blockchain technology.

The open platform provides an underlying set of technologies, tools, and services that accelerate the development of higher level market-ready solutions. Here is what we consider to be the key requirements of an open platform:

1. Autonomy. Businesses need autonomy to succeed. All projects should control their own blockchain.
2. Flexibility. Blockchain tech must meet all individual needs and remain flexible, even after implementation.
3. Simplicity. Blockchain tech should be easy to adopt and update.
4. Reliability. Businesses need investment protection and blockchain must evolve to meet future needs, including the unforeseen.

What does this all mean in practice? Let’s dive deeper into what we mean by ‘open platform’.

No vendor lock-in. Projects and businesses maintain complete independence and can detach themselves from the platform at any time.

No gas model. An open platform is blockchain agnostic. There are no parent chain nor gas fees to pay. Each project can customize the transaction fees as they see fit, and scale out at any time to meet the growing demand without affecting any other project that is building on the same platform.

Open Architecture. An underlying composable architecture allows anyone to contribute and extend the platform offering. The technology updates won’t necessarily come from the core Komodo team. Anyone can build new functionality that is then available for the whole ecosystem.

Open Standards. All Smart Chains share the same standard and thus drive the blockchain industry towards cohesion and integration, while at the same time staying backwards compatible with the existing Bitcoin infrastructure.

Open API. Komodo’s vision around composable architecture provides a unified API across the underlying infrastructure, which then empowers entrepreneurs by giving them free hands to innovate without restrictions on top of the open source platform.

Open Source. Nowadays everyone is accustomed to using proprietary platforms. However, by staying 100% open source, we will enable innovation that will build enormous value and a network effect that cannot be competed against, just like no one can compete against the Open Internet of today with a closed source version of it.

• Towards The Komodo Multi-Chain Vision

Whatever the future world will look like in 10 to 30 years should not be determined by a single project or a group; but rather a multitude of communities and businesses each contributing to the ecosystem. A thriving blockchain space needs multiple independent actors who share the same vision.

Our mission is not only to develop the underlying technology components but also to inspire others by creating ideal conditions for a large-scale network effect.

Because of the open platform architecture, there can be countless second layer solution providers leveraging the underlying Komodo technology and providing more industry-specific offerings. For example, there could be a solutions integrator platform focusing on supply chain solutions, and an enterprise client that uses the underlying Komodo technology through the third-party supply chain platform provider.

Events:

• Bitcoin Club Cyprus Hosts Free Educational Meet-Up — May 28, 2019

The May meet-up offered the chance for anyone interested in crypto, blockchain and decentralised ledger technology to learn more about the latest industry news and advances. There was an array of public lectures and presentations as well as the chance for attendees to mingle with likeminded people and make new professional contacts. The blockchain and crypto industries moved at a rapid rate and therefore, Bitcoin Club Cyprus aimed to deliver cutting-edge insight.

The event was recorded and livestreamed for future use.

Upcoming events:

• Mining Disrupt Conference | The Official Bitcoin Blockchain Mining Summit

Komodo is excited to announce that Business Development Manager Jason Brown will be speaking at the @MiningDisrupt Conference! It will take place at the DoubleTree Hilton hotel in Miami from July 23–24.

Finance

Source: DexStats, Komodod beta

Source: CoinMarketCap

• GRAVIEX has listed a $ HUSH $KMD trading pair!
• Komodo’s $KMD has been added to @cryptocom App. Users can now purchase #KMD at true cost with no fees.

Roadmap

They do have an internal roadmap, but they have yet to make that information public. Part of the reason why they do this is that if the landscape changes, we desire to be flexible in adapting as necessary.

1H 2019

• Alpha release and testing of version 2.0 of our open atomic swap protocol — done — done
• Komodo’s innovative peer to peer orderbooks for the atomic swap network already allowed for coin markets to exist that were not based on BTC prices.
• Release of version 1.0 of Komodo’s Custom Blockchain Generator on AWS marketplace
• “Evolution” Campaign to launch new roadmap, whitepaper, and messaging
• Komodo 2.0 Technology and Rebrand Launch — done
• Annual Notary Node Elections — done
• Continued development of Custom Consensus Framework — has begun
• Launch of KMDCC interlinked chain to support zero-knowledge privacy, new Crypto-Conditions smart modules, and other test features and solutions.

2H 2019

• Release of Komodo’s Developer Portal to support increased participation and involvement of Komodo community
• Increased usage of AWS Marketplace to support Komodo products and services, including independent blockchains and custom consensus modules
• Release of GUI for a fully mobile-ready wallet/DEX hybrid

Partnerships and team members

No updates.

Ecosystem

There are all projects built on Komodo in one Google Spreadsheet.

• Komodore64 is online

K64 Virtual Console showcases a variety of games powered by blockchain technology. It provides developers with the best software platform. It engages with designers to create the next legendary games. It focuses on bringing back arcade nostalgia with competitive gameplay and brewing rivalries. Its games are built for game lovers by game lovers. And now it has become online!

Rumors

• Reverse Pickpocket: Why Komodo Team Hacked Their Own Users

The most important thing we want people to understand is that we don’t have — and never have had — access to users’ private keys or seed phrases. We used the attacker’s same exploit to find every address that was affected, and we made the decision to use that same exploit to protect those funds and transfer them to a safe location. This was an internal white-hat counterattack.”

Steve Lee, CMO of Komodo Platform

Summary:

1. According to developers, some $13M of Komodo tokens were removed in a preventive theft that foiled a months-long hacking scheme.
2. “A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug,” the team explained in an official update. “Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.”
3. NPM promptly notified Komodo developers, who had to take immediate action.
4. This discovery presented a dilemma to the Komodo team: they knew that they would have to notify users, but they also needed to resolve the bug to prevent a hacker from immediately siphoning funds. The team believed the hacker was already collecting seeds and was simply waiting for the right time to steal the compromised funds. “We did a full scan, using the hacker’s exploits against him to understand which accounts had been affected,” explained Komodo CMO Steve Lee. “After assessing all possible options and scenarios, we made the decision to intervene on behalf of our users.”
5. “We did a full scan, using the hacker’s exploits against him to understand which accounts had been affected,” explained Komodo CMO Steve Lee. “After assessing all possible options and scenarios, we made the decision to intervene on behalf of our users.”
6. “It is important to understand that our core technology has not been compromised. This is a software product suffering from an external software vulnerability. The Komodo blockchain and all dPoW protected ecosystem chains remain entirely secure. Komodo has always employed a robust internal security code review process, along with external 3rd party penetration-testing, on all our core blockchain technologies. We are now assessing solutions to extend a more robust security audit to all our software products as well.”

Social media metrics

Social media activity:

Social media dynamics:

• It seems that the community gets interested in Discord. It can be related to the last hack attack since Discord is the place used to communicate with developers in the crypto world and all users were able to know all actual news about solving the problem.
• JL777, Komodo’s Platform Core developer and founder, has started his own blog on Medium. This is aimed for developers who want to learn more about blockchain.

The graph above shows the dynamics of changes in the number of Komodo Reddit subscribers, Twitter followers and Facebook likes. The information is taken from Coingecko.com.

This is not financial advice.

Subscribe to detailed companies’ updates by Paradigm!

Medium. Twitter. Telegram. Reddit.