- The IOTA Foundation has presented a remediation plan how the stolen IOTA can be recovered and in what time frame the IOTA network will be up and running again.
- The migration tool is expected to be released next week, then users of the IOTA Trinity wallet will have seven days to use the tool and convert their wallet to a secure seed.
Almost nine days after the hack of the IOTA Trinity wallet became known, the IOTA Foundation has now published a remediation plan. The plan includes a concrete action plan on how to get the IOTA network back up and running and how to prevent the hacker from using the stolen seeds to rob further IOTA from the Trinity wallet users.
As the IOTA Foundation describes, on 12 February 2020, around 3 pm CET, it became aware of unauthorised outgoing transactions on previously positively balanced accounts, which forced the IOTA Foundation to make a prompt decision. Within the first four hours of the attack becoming known, the leadership made the decision to stop the Coordinator and thus bring the IOTA Tangle for value transactions to a standstill. What happened subsequently has already been reported in great detail.
Now the IOTA Foundation has also commented on the actual course of events of the hack. It states that the integration of MoonPay was relatively quickly identified as the root cause. It was delivered as bundled code, as a so-called CDN (Content Delivery Network). Aware of the vulnerability of the CDN technology, the IOTA Foundation demanded a so-called NPM (Node Package Manager) from MoonPay. However, this was delivered late by MoonPay after much of the development work had already been done, which is why the integration did not take place before the launch of the Trinity Wallet (freely translated):
[…] but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch. This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases.
As for the rest of the hack, the first blog post goes on to say that the attacker merged numerous packages containing 28 GIOTA, presumably to avoid the KYC identification procedures of exchanges. As a result of various investigations, the IOTA Foundation has come to the conclusion that the attack was already prepared at the end of November 2019. Furthermore, an unspecified amount of IOTA has already been transferred to crypto exchanges:
When we analyzed these logs with our Tangle analytics toolsets we, unfortunately, found that several addresses were owned by an exchange. We requested the exchange again to immediately lock the accounts, and are currently in further correspondence with them to assess the full picture of the amount of tokens the attacker was able to convert and transfer out of the exchange. […]
The next revelation came with the release of the log files to the IOTA Foundation on the 15th of February from the DNS provider contracted by Moonpay: Cloudflare. […] The attacker started on November 27th, 2019 with a DNS-interception Proof of Concept that used a Cloudflare API key to rewrite the api.moonpay.io endpoints, capturing all data going to api.moonpay.io for potential analysis or exfiltration.
Another longer-running Proof of Concept was evaluated by the attacker one month later, on December 22nd, 2019. On January 25th, 2020, the active attack on Trinity began, where the attacker started shipping illicit code via Moonpay’s DNS provider at Cloudflare.
Currently, the IOTA Foundation is aware of 50 seeds that were stolen during the attack. A total of 8.55 Ti (8,550,000,000,000 IOTA), approximately 2.37 million US dollars, were stolen. However, due to the nature of the attack, it is currently not possible to identify the exact number of users affected, so all Trinity wallet users are encouraged to check for themselves whether they are affected.
IOTA migration tool to be released next week
In order to realize a rollback and return the stolen IOTA to their true owners, the IOTA Foundation will release a migration tool next week. All Trinity users are then encouraged to use the tool if they have used the Desktop Wallet between 17 December and 17 February. Regarding the concrete procedure the IOTA Foundation writes:
Instead of turning on the Coordinator immediately, we will provide a migration period for all at-risk users. The migration period will give users time to initiate a migration of their tokens from their current seeds, which may have been compromised, to newly created seeds.
Users who may be affected will be given 7 days to perform the seed migration. After the 7-day period has expired, the IOTA Foundation will begin validating the submitted contributions. All conflicting submissions must be validated through a KYC process.
Optionally, on the 8th and 9th day after the release of the tool, a “community validation” will take place. During this process, the community can check and validate the ledger status if there are conflicts. On the 10th day after the tool is released, the IOTA network will be up and running again with the new snapshot. The Coordinator is switched on again.
If users of the Trinity wallet are not able to use the migration tool in time, there is a risk that the stolen IOTA tokens will be transferred by the attacker. It is also important for Trinity Wallet users that the tool will only be available for Windows 7, Windows 10, Linux and MacOS, not for iOS and Android. Mobile users are therefore urged to use the SeedVault export or enter the seed directly into the tool manually.
We recommend all IOTA Trinity wallet users and all other IOTA supporters and investors to read the blog posts. In these the IOTA Foundation addresses in detail how the attacker proceeded, what measures were taken and how to prevent such attacks and security vulnerabilities in the future.
