SlowMist: Analysis and Security Suggestions for the IOTA Major Coin Stolen Incident
A few days ago, we noticed that IOTA suspended the mainnet. Although we also knew that IOTA users had suffered a coin theft attack earlier, we didn’t expect that IOTA officials would suspend the mainnet to conduct the blocking and investigation of this attack. It seems that the problem is serious. Moreover, on 19/02/2020, we analyzed some of the clues officially disclosed on status.iota.org and began to independently investigate the specific cause of this serious security incident.
After analyzing the release of the new version of Trinity — the official wallet of IOTA, we conducted a version comparison on its GitHub. We noticed that MoonPay, a third-party component, was removed. Besides, we also noticed that the Trinitiy desktop wallet was developed based on Electron. Our security experience tells us that this may be a big trap, so we released some speculations on 2020/02/19 :
SlowMist Security Team: speculations for IOTA user Trinity wallet coin stolen attack
Due to the recent coin theft of many users’ Trinity wallets, IOTA has suspended the mainnet coordinator for ceasing the attack, investigating, and repairing specific problems. This is a classic attack that is underestimated. The official claims did not disclose specific details of the attack, but through our analysis, we can make some important speculations. First of all, a few points can be made clear:
1. It’s not a problem of the IOTA blockchain protocol; it’s a problem of IOTA’s Trinity desktop wallet (from official claims, believe it first)
3. When doing a diff analysis of the new and old version of the wallet, It was found that MoonPay, a built-in exchange function module, was removed. The key point was to remove a terrifying piece of code:
const script = document.createElement (‘script’);
script.src = ‘https//cdn.moonpay.io/moonpay-sdk.js';
Today (2020/02/22), we noticed that some details were officially disclosed, which basically confirmed our speculation.
Pay attention to this paragraph:
The attacker started on November 27th, 2019, with a DNS-interception Proof of Concept that used a Cloudflare API key to rewrite the api.moonpay.io endpoints, capturing all data going to api.moonpay.io for potential analysis or exfiltration. Another longer -running Proof of Concept was evaluated by the attacker one month later, on December 22nd, 2019. On January 25th, 2020, the active attack on Trinity began, where the attacker started shipping illicit code via Moonpay’s DNS provider at Cloudflare.
Since we are not like IOTA and the MoonPay official, they have sufficient log records to obtain the attack process completely, and we can only output the above speculations and analysis related through what we can reach. For the rest, we hope that the official can release the complete details and resume the mainnet as soon as possible.
We want to provide some necessary security views and suggestions here:
- Third-party CDN / WAF services such as Cloudflare are excellent and powerful, but if users do not securely manage their account permissions, their Web services will encounter perfect man-in-the-middle attacks
- A fatal flaw in the official wallet of the public chain may bring down a public chain. While on-chain security is concerned, off-chain security cannot be ignored. They are a whole, which is why we are concerned about the blockchain ecological security, Not just the on-chain security of the blockchain itself
- As a user of IOTA’s official wallet Trinity, follow the official instructions to complete the security hardening work as soon as possible, not much to say about this.