The IOTA Foundation has released a two-part report on the recent hack on the Trinity wallet that saw some $2 million worth of mIOTA tokens stolen and has caused the blockchain to be halted for almost two weeks. In it they reveal the extent of the hack as well as outlining the steps they are taking to protect users, but some in the crypto community are not convinced of their methods.
Moonpay Integration as Fault
The first part of the report discusses the attack in detail and IOTA’s response to it, laying the blame at the door or a recent integration of Moonpay, a third-party service that allows users to purchase mIOTA tokens from within the Trinity wallet. This integration came with known risks, which were duly exploited:
One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected. The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) module to mitigate it. This was later published by Moonpay…but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch.
Several Trinity wallets were then “compromised with one of several illicit versions of Moonpay’s software development kit (SDK)”, resulting in the affected wallets’ seed and password details being sent to a hacker-controlled server.
At this point, the IOTA team switched off the ‘coordinator’, stopping transactions and halting the blockchain, which still remains in its frozen state, with users being advised against opening their wallets.
Seed Migration Plan
In the second report, the IOTA Foundation introduces their ‘seed migration plan’, which will involve existing seeds being replaced with new ones. This is critical, say IOTA, because, even though it has only identified 50 known victims so far, the number is likely to be far higher:
…due to the nature of the attack, it is not currently possible to know the exact number of affected users and all Trinity users need to determine whether they might be affected.
IOTA advises all Trinity Desktop users who downloaded the software between December 17 and February 17 to change their wallet password as well as going through the seed migration process, but in reality everyone should change their password regardless.
IOTA hasn’t released a date on which the seed migration will begin, and has asked the community to stay in touch with its social media pages for more information.
Pitfalls in Recovery Plan Highlighted
It’s fair to say that, while some were grateful for the steps taken by the IOTA foundation, others were not, highlighting some of the more troubling steps in the process:
Their idea to resolve this is to have a claim period where you claim ownership of your coins, and if there’s a conflicting transaction (the attacker also claiming your coins) you’ll both have to go through KYC so they can attempt to settle it through arbitration. pic.twitter.com/9TWl5J8aI6
— Eric Wall IS RIGHT (@ercwl) February 26, 2020
This is not the first time IOTA has been hacked, with a prior hack occurring in 2017 when $10 million worth of mIOTA were stolen. If IOTA think that the current level of criticism is bad, we can only imagine what might happen when they switch the blockchain back on again…