- The IOTA Tangle continues to stand still for value transactions involving IOTA tokens. However, a hack of the Core Protocol is excluded.
- The ongoing investigations have also brought to light new details about how the attacker proceeded.
As CNF reported yesterday, the Trinity wallet was the target of an attack on February 12. As a result, the IOTA Foundation has issued a warning regarding the use of the IOTA Trinity wallet. IOTA owners are strongly advised not to open the Trinity wallet under any circumstances and not to enter their seeds there.
In the course of yesterday, some more details became public. Amongst other things it became known that only 10 users were affected. The fact that the attack did not spread to a larger number of Trinity wallet users was mainly due to the fact that the IOTA Foundation decided to suspend the coordinator who sets the milestones and ultimately confirms all transactions. As a result, as the IOTA Foundation announced that all value transactions in the IOTA Tangle Network were suspended, as opposed to data transactions, which are still possible.
Via IOTA’s Discord Channel it was also made public yesterday that the attacker was targeting large wallets. Although very few wallets were compromised, a large amount of IOTA were probably stolen. The team assumes that IOTA worth between 300,000 and 1.2 million dollars has been stolen. Lewis Freitag from the IOTA Foundation made the following statement via Discord during the course of yesterday:
Yesterday we received several reports about missing balances from wallets. After the initial triaging and investigation, we found first signs of a coordinated attack, primarily targeting 40 GI+ accounts, either by having knowledge of the seed or by utilizing another form of exploit. This lead to the decision to stop the Coordinator and pause value transfers in the network. (After all, the COO is specifically in place as a security measure.)
Aside from shutting down the network, IOTA yesterday allocated all possible resources to determine the cause of the problem and investigated the situation with law enforcement and cyber security experts. As several members of the IOTA Foundation also confirmed yesterday, the attack was not a “protocol violation of any kind”, but only affected the Trinity wallet.
IOTA Tangle continues to stand still – Update
A few minutes ago, at 13:46 UTC, the IOTA Foundation released a new update on its status page. It states that after a long night, several originally suspected causes of the attack have been ruled out. Currently the team is working on individual dependencies of the Trinity wallet. Furthermore, according to the statement, the efforts have been intensified again:
Additional external cyber security experts have joined the investigation with multiple security teams working on the incident analysis. The investigation has yielded absolutely no indication that there has been a core protocol breach of any kind. Rather, all evidence so far points to a problem with a dependency of the Trinity wallet.
Furthermore, it is stated that the coordinator’s stop has (presumably) stopped a liquidation of the stolen IOTA:
The attack pattern analysis showed that the halt of the coordinator interrupted the attacker’s attempts to liquidate funds on exchanges. The stolen funds have been purposely and repeatedly merged and split to obfuscate the investigation, and with the current token exchange rate as well as exchanges’ KYC limits in mind.
We received additional feedback from more exchanges (not all yet), confirming that none of the identified transactions has been received or liquidated. Our current assumption is that the perpetrator targeted high value accounts first, before moving on to smaller accounts and then being interrupted early by the halt of the coordinator. (Again: Hardware wallet users are not affected.)
At the end, the IOTA Foundation also concluded in the statement that it is well aware of the bad sentiment within the community. However, the deactivation of the coordinator was the only right decision:
Please note that we are very much aware of the sentiment of the community. But with the safety of the users’ funds being the highest priority in a Major Incident like this, we stand by our decision to make use of the coordinator’s security features and halt all value transfers during the ongoing investigation, in order to protect the users.
As soon as there is any news about the IOTA Trinity wallet security breach, CNF will provide a more up-to-date report.
UPDATE at 15:50 UTC: In a new announcement the IOTA has stated that they have found the vulnerability:
We have found the exploit and are now working on resolving the issue. As expected, the exploit is related to the (user-facing) Trinity Wallet. The IOTA core protocol is – as already communicated before – not breached.