Komodo over the weekend offered further information about the self-imposed hack that saw them move $13.67 million worth of KMD and BTC from compromised Agama wallets. The Komodo team were able to use the hacker’s methodology against them and stop the hack before any damage could be done, although in retrospect it was a very close run thing.
Agama Wallet Compromised
Komodo were alerted to the vulnerabilities within the Agama wallet by Node Package Manager (NPM), a popular tool that adds external Node.js libraries into projects. NPM detected that Komodo’s version of the Agama wallet included a Node.js module that contained malicious code which was collecting user seed phrases and storing them on a publicly accessible server. According to Komodo, the bug was intentionally created with the express purpose of hacking into the wallets and stealing the funds:
A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.
The hacker recorded the seed phrases on a public server to obscure their identity and to create a scenario where no individual could be suspected when the vulnerability was exploited. NPM even posted a short clip on YouTube to illustrate how the theft:
Race Against Time
Komodo learnt after their preventative hack that the hacker had in fact already begun the process of removing funds from the wallets at the same time, meaning they were unknowingly involved in a race against time to protect the tokens. The only way the Komodo team knew which wallets to target was due to the hacker’s use of a public database, which they used to get there first and rescue the coins. If a private database had been used, it is likely that the team would not have been able to do this. The team acted so quickly that no tokens were taken from wallets and the vulnerability was patched, meaning that this was one hacking attempt that ended on a positive note.