Komodo, the blockchain startup and exchange, has hacked its own users to save their assets from a backdoor vulnerability to prevent exploitation from hackers. The vulnerability came from Komodo’s Agama wallet app, which was accepting a malicious code.

According to ZDNet, a news outlet, Komodo managed to gather 8 million Komodo coins and 96 bitcoins. The coins were worth $13 million.

The main issue was the npm JavaScript package repository. Npm had found a dubious update on its electron-native-notify (version 1.1.6) JavaScript library server, whose code was set up to take cryptocurrencies.

A back-doored library

The incident seemed a little strange at first, but it soon became apparent that this was a supply chain attack using the back-doored library. Unfortunately, for Komodo, their Agama app was loading the malicious electron-native-notify library, but only after Komodo released Agama v0.3.5 was it truly susceptible to an attack.

For an attack to be successful, the code would collect Agama wallet app seeds and passphrases, then putting the data to a remote server. Then with the information gleaned, they could access users/ crypto wallets.

Quick thinking from Komodo saves the day

After realizing the possibility of a devastating attack, Komodo and its security team quickly jumped into action and began salvaging the vulnerable funds. Using the malicious code which could have caused them so much damage, the security team exported funds to safety.

In a security alert release, Komodo noted:

“We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets […] are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details,”

Unfortunately, the turbulence is not yet over. Komodo users may still be susceptible to an attack as a hacker could still use old seeds and passphrases to get into accounts. Therefore, Komodo has advised users to take out their funds and change their information to prevent falling victim. They have also closed the old Agama wallets and asked users to move to newer versions which haven’t been compromised.