Blockchain Startup Komodo Hacks Itself, Claims to Save $13 Million in User Assets

Komodo, a blockchain startup, took a bizarre turn recently as it hacked itself to save $13 million in user assets. The startup found an issue with the Agama wallet, which could be exploited to siphon off cryptocurrencies.

A hack like no other

While hacks are common in the crypto sector, Komodo took an unusual path to hack itself. The company learned of a backdoor vulnerability in the Agama wallet, which could be used to hack the digital assets of the users. Agama is one of the older wallet apps that may provide a safe backdoor entry to users. However, before the hackers could exploit the issue, the developers found the flaw and extracted the at-risk digital currencies from the wallets they controlled.

The team confirmed that they could save 96 BTC worth about $742,000 and 8 million Komodo worth about $11.92 million from theft. In a security notice posted on June 5, the company noted that after they discovered the vulnerability, the Cyber Security Team at Komodo used the same exploit to control user funds and extract them to a safe wallet. The company provides the addresses of the two safe wallets (one for BTC and one for KMD). They have asked users to reclaim their assets using their support page article.

How did the vulnerability start?

The vulnerability of the system was brought in via a contributing useful code. It was then updated to include a security vulnerability into the wallet. The security vulnerability was discovered by the Npm JavaScript package repository. The malicious code was pushed for the electron-native-notify (version 1.1.6) JavaScript library. This update included the code designed to steal digital currency wallet seeds and login passphrases.

Npm staffers found that it was unusual for a limited feature-set wallet to contain such advanced functionality. The team then realized that it had discovered a supply-chain attack. The Agama wallet, which was the older wallet developed by Komodo, was loading

“the now-malicious electron-native-notify library. The backdoor was added to the electron-native-notify library on March 8, but it made its way to Agama wallet on April 13 with the Agama v0.3.5 release.”

Npm explained that the attack was carried out using an increasingly popular method of launching attacks where hackers publish a ‘useful’ package and then update it with a malicious payload. Komodo has asked its users to move all their assets from Agama wallets.