- The IOTA Foundation announced that the MoonPay integration was the security flaw in the system and made the hack of the IOTA Trinity Wallet possible.
- Meanwhile, the IOTA Foundation has released new versions for the desktop and mobile wallet without the MoonPay interface. The tangle remains frozen for the time being.
As part of the Trinity Wallet hack, the IOTA Foundation announced yesterday that the MoonPay integration was the security vulnerability. IOTA implemented the MoonPay payment interface at the end of December last year to allow users to invest in IOTA quickly and easily. The FIAT/IOTA ramp, which allowed users to purchase MIOTA by credit card, is responsible for the hack, according to the latest results of ongoing investigations.
The code of the IOTA Trinity wallet is secure according to IOTA. Yesterday evening IOTA released an updated version of the mobile wallet for both iOS and Android without MoonPay. All users of both the desktop and mobile wallet are encouraged to upgrade to the latest version. The foundation states:
This was necessary because the security vulnerability was introduced into the Trinity wallet via the MoonPay integration. We are working on an incident report in which we will publicly disclose the details of the vulnerability, how it was introduced, how it was exploited, and the steps we are taking to improve our security practices as a whole.
The IOTA Foundation has received several inquiries as to whether the credit card information of users of the Trinity Wallet who have purchased IOTA by credit card is at risk. MoonPay describes that, according to current knowledge, this information is unlikely to be compromised as it is encrypted according to current security standards:
At this time, as the payment processor of the Trinity Wallet, we want to inform users who have input their credit card details into the Trinity Wallet that, to the best of our knowledge, their credit card information is unlikely to have been compromised by this security incident.
Nevertheless, users should monitor their account statements and report any suspicious activity to the bank immediately. Furthermore, IOTA is in constant contact with local and international law enforcement agencies investigating the case. IOTA further states that victims of the hack should report the incident to the police, as this will help the criminal investigation.
IOTA continues to work hard to develop a final recovery plan that will return the stolen funds to the victims. To recover the funds, IOTA is currently developing a tool that will allow IOTA owners to switch to a new seed. There will be a migration phase for this.
If two people try to migrate the same seed during this phase, a KYC process will be triggered. If the hacker tries to claim the stolen seeds, as does the real owner, both persons will have to go through a KYC process. The verification is done by a third party company. As soon as all MIOTA have found their rightful owner, the tangle will be restarted. Further details will be published in the next few days.