For over two weeks now, the Iota network has been down, with MIOTA token-holders being unable to facilitate any transactions since Feb. 12. This is because a hacker was able to make off with over $2 million from Iota’s native Trinity wallet, causing the project to lose around 40% of its value — which has been touted to be worth almost $400 million — since the network was turned off.
The Iota Foundation has downplayed the severity of the hack, but a number of indicators suggest far more wallets might have been compromised than the Iota Foundation has so far announced. And while funds may have only been stolen from a limited number of wallets, the vulnerability in question has likely existed for an extended period of time. It is also quite possible that the hacker was able to obtain the wallet seeds from everyone who used the Trinity desktop wallet while the vulnerability was active.
In response, Cara Harbor, director of communications for the Iota Foundation told Cointelegraph that the firm is taking this incident very seriously and that a dedicated team is working around the clock to identify the issue and to find a solution as soon as possible. She added:
“The vulnerability at hand was only within the Trinity Desktop wallet and was indeed caused by the Moonpay integration. There is no vulnerability in IOTA itself or the protocol. While it is an unfortunate event, the actions of the Iota Foundation show that we are serious about the project and its users.”
How did it go down?
To gain a better understanding of the situation, Cointelegraph spoke with Casper Niebe, a developer at Obyte, a directed acyclic graph platform, who believes that the timeline for the hack most likely looked like this:
First, when the MoonPay plug-in was first included within the beta version of Trinity, no foul play was detected. The plug-in was then included in the non-beta version, allowing the hacker to start collecting seed words from those using the compromised wallet.
Then, people at MoonPay notice something was wrong and turned off their API key, but they failed to notify the Iota Foundation. At this point, the hacker began emptying wallets with large balances by using the wallet seeds collected while the wallets were exposed. Iota noticed and shut down the coordinator, which prevented any further transactions from being confirmed.
According to Niebe, the attacker was able to inject their own code into the MoonPay plug-in. The malicious code likely grabbed wallet seeds from the platform and sent them to the attacker.
Additionally, the MoonPay plug-in included a library from a third-party operator — and instead of waiting for a version that would have allowed the developers of the Trinity wallet to know exactly what they were working with, the integration/release of the plug-in was seemingly rushed, according to a Iota blog post.
Thus, because the exploit was likely active for an extended period of time, the attacker was able to obtain far more wallet seeds than those used to actually steal tokens. It also bears mentioning that MoonPay was seemingly unaware of the issue before it actually arose.
Expressing her thoughts on the subject, Harbor stated that the aforementioned event has shown the Iota team that they need to take their security — especially in regards to third-party providers — extremely seriously. She further opined:
“We take this attack incident very seriously and have not minimized the effect it has had on our community in any way. The actions and transparency that was taken by the Iota Foundation is a testament to that.”
The theft seems to have been quite sophisticated in design
It is believed that the aforementioned breach required the miscreant to possess a certain amount of technical prowess in writing code, as the attack was not trivial in nature. In this regard, the Iota Foundation detected several iterations of the injected code during its investigation, which basically suggested that the hacker employed a “trial-and-error” mode of operation.
From a more technical standpoint, the evidence seems to suggest that the hacker started to manually steal tokens from the compromised wallets after the vulnerability was patched by MoonPay. The attacker moved funds from a very limited number of wallets through several other wallets.
Every time the stolen amount passed through a wallet, 28 GigaIOTA (i.e., 28,000 MIOTA tokens) — worth roughly $9,000 at the time — was left behind in each wallet. This amount was likely chosen because it was small enough to escape the automatic security measures of exchanges. But the speed at which funds were transferred from one wallet to the next ranged between 10 and 20 minutes. Had the transactions been made by an automated script written by the attacker, the entire process could have been completed much faster and definitely with fewer varying intervals between transfers. Niebe pointed out:
“A major indication of the stolen funds having been manually moved is the amount of 28 GigaIOTA being left in each wallet it passed through. Two of the transactions in the ‘chain’ of transactions that spread the stolen funds in several wallets stand out. One is of 2.8 GigaIOTA, which indicates that the amount was entered with a missing '0' digit. Another transaction was of only 2 GigaIOTA, indicating they missed the '8' digit when entering the amount. Those mistakes would not have occurred if transfers were done using a script.”
While these technicalities are only indicators, they seem to point to a scenario where the actual vulnerability was discovered and exploited by an attacker, who then sold the seeds of wallets holding the largest number of tokens to someone far less technically knowledgeable.
The two abnormal transactions — of 2.8 GigaIOTA and 2 GigaIOTA — can be seen on the network explorer.
Tangle’s “coordinator” node is still on hold following the breach
Iota currently runs on its own dedicated network, Tangle. However, its “coordinator” node — which is designed to prevent attacks — is currently on hold following the recent breach. The coordinator can also be thought of like a huge, centralized on/off switch, which was turned off to save the network from additional damage. It is now confirmed that the node will be reactivated on March 10, after MIOTA holders take the necessary steps to protect their wallets by installing the firm’s latest seed migration tool.
While the Iota Foundation has been bashed online for turning off the entire network, the fact that $2 million worth of tokens had already been stolen means that such a step was arguably necessary. Providing his insights on the matter, Daniel Hernandez Rodriguez, co-founder and CEO of HASHWallet, told Cointelegraph that the issue at hand is not wholly related to the Iota wallets in question but is also related with the online generators associated with them, adding:
“Every software system that generates seeds can be cracked. The seeds must be generated and stored in an isolated system so nobody has access to them nor to the generation system if not a TRNG (True Random Number Generation) system.”
In regards to the attack and the extent of the damage done, Harbor stated that because the Iota team was unsure of the severity of the attack — i.e., how many seeds were stolen from Trinity wallets through the vulnerability — the firm made the difficult decision to halt the coordinator to prevent the attacker from extracting more tokens. Harbor then went on to add:
“People less familiar with Iota have misinterpreted the fact that Iota currently has the coordinator, as an indication that the network is not decentralized. Currently, the Iota network is decentralized with several hundred nodes issuing and validating transactions. The confirmation process relies on milestones that are issued by the coordinator and validated by the entire network; in other words, the transactions' finality, indeed, depends on this centralized component. However, all nodes verify all transactions and would not accept any ‘wrongdoing’ (like approving invalid transactions, double spends, etc.) from the coordinator.”
Lastly, Harbor also pointed out that some have failed to understand that Distributed Ledger Technology is still fairly new, and as with any such offering, it takes some time for it to reach full maturity.
Many important details are still questionable
Even though there are clear indicators that suggest a great number of wallet seeds were stolen when the MoonPay exploit was active, there is no way to ascertain which seeds were stolen and which ones weren’t.
The only certain thing at this moment is that users who used the desktop version of the Trinity wallet were at risk of having their wallet seeds stolen. This is the reason why the Iota Foundation has asked its customers to promptly make use of the firm’s latest migration tool.
Also, this is not the first time the Iota ecosystem has been on the receiving end of such a security breach. A few years ago, the platform faced another serious vulnerability related to its native cryptographic protocols. In a conversation with Cointelegraph, Inal Kardanov — a developer advocate for Waves Platform, an open-source blockchain ecosystem — pointed out the following:
“A second serious vulnerability in three years looks very dangerous for holders and especially developers. So, I personally expect that many developers will avoid building products on Iota in the future despite all efforts from the Iota team to mitigate the problem.”
Does the future look bleak for Iota?
As mentioned earlier, since this latest security lapse came to light, Iota has lost a little over 40% of its value, and it remains unclear what will happen to the token’s price once the network reactivates on March 10.
MIOTA/USD price chart since Feb. 11. Source: Coin360.com
Additionally, the Iota Foundation claims that its Tangle protocol is still in its beta-testing phase. However, this begs the question: If it is a beta network, will its tokens be considered beta tokens, and will they just be traded on beta exchanges by investors using beta money? And if the project is in beta, then why rush to introduce the MoonPay plugin without sufficient control over whether it would load the code from an external source?
Lastly, a whole host of experts have argued that if the Iota ecosystem had been decentralized — even in the event of the platform losing $2 million as a result of the hack — the network could have stayed switched on, and the Trinity wallet issue could have probably been fixed quite quickly.
So, one point of view is that with a decentralized structure, the Iota Foundation might have prevented the deep market crash it is facing right now — which could take an even bigger hit if token holders choose to sell off their MIOTA tokens once the network comes back online.
Finding a safe way
Upon its inception, the Iota project started off with the promise of using ternary logic (instead of binary) to make its ecosystem completely secure and resistant to attacks from quantum computers. However, after years of no tangible progress being made in that direction, the concept now seems to have been scrapped — thus leading many to believe that the platform is still vulnerable to various external threats. Niebe shared his thoughts on the matter:
“They have focused on finding a way to safely turn off the coordinator for almost three years, initially claiming that it only had to run until a large enough number of transactions would pass through the Tangle. That has also turned out not to be true. So, as some users have jokingly said: ‘Iota has effectively become the most expensive centralized spreadsheet in existence.’”
In regard to the matter, Harbor told Cointelegraph that progressive decentralization as the network grows and strengthens is pretty commonplace — pointing to Bitcoin (BTC) as an example of the same, adding:
“With the removal of the Coordinator, Iota will fulfill its promise as the very first feeless, decentralized and scalable distributed ledger technology available. The feeless nature of Iota is important to the future of IoT.”