SlowMist: Analysis and Security Suggestions for the IOTA Major Coin Stolen Incident
A few days ago, we noticed that IOTA suspended the mainnet. Although we also knew that IOTA users had suffered a coin theft attack earlier, we didn’t expect that IOTA officials would suspend the mainnet to conduct the blocking and investigation of this attack. It seems that the problem is serious. Moreover, on 19/02/2020, we analyzed some of the clues officially disclosed on status.iota.org and began to independently investigate the specific cause of this serious security incident.
After analyzing the release of the new version of Trinity — the official wallet of IOTA, we conducted a version comparison on its GitHub. We noticed that MoonPay, a third-party component, was removed. Besides, we also noticed that the Trinitiy desktop wallet was developed based on Electron. Our security experience tells us that this may be a big trap, so we released some speculations on 2020/02/19 :
SlowMist Security Team: speculations for IOTA user Trinity wallet coin stolen attack
Due to the recent coin theft of many users’ Trinity wallets, IOTA has suspended the mainnet coordinator for ceasing the attack, investigating, and repairing specific problems. This is a classic attack that is underestimated. The official claims did not disclose specific details of the attack, but through our analysis, we can make some important speculations. First of all, a few points can be made clear:
1. It’s not a problem of the IOTA blockchain protocol; it’s a problem of IOTA’s Trinity desktop wallet (from official claims, believe it first)
2. This desktop wallet is based on Electron (a framework for building desktop applications using JavaScript as the core), meaning that the core code is written in JavaScript
3. When doing a diff analysis of the new and old version of the wallet, It was found that MoonPay, a built-in exchange function module, was removed. The key point was to remove a terrifying piece of code:const script = document.createElement (‘script’);
script.src = ‘https//cdn.moonpay.io/moonpay-sdk.js';
document.write (script.outerHTML);If this third-party JavaScript link was malicious or hacked for malicious purposes, then it can be considered that the desktop wallet had completely fallen into enemy hands. At this point, we have reasons to believe that this is a large time bomb. If this time bomb has really already exploded, then it is in line with some official speeches and explanations, such as: upgrade to the new version of Trinity desktop wallet as soon as possible and change the password as quickly as possible. Transfer assets to a secure seed as soon as possible, etc. We can wait and see the official follow-up disclosure.
Today (2020/02/22), we noticed that some details were officially disclosed, which basically confirmed our speculation.
Pay attention to this paragraph:
The attacker started on November 27th, 2019, with a DNS-interception Proof of Concept that used a Cloudflare API key to rewrite the api.moonpay.io endpoints, capturing all data going to api.moonpay.io for potential analysis or exfiltration. Another longer -running Proof of Concept was evaluated by the attacker one month later, on December 22nd, 2019. On January 25th, 2020, the active attack on Trinity began, where the attacker started shipping illicit code via Moonpay’s DNS provider at Cloudflare.
The attacker used MoonPay’s Cloudflare API Key to carry out a series of hijacking attacks subsequently. The IOTA stolen is estimated to reach 8.55 Ti (8550000 MIOTA, MIOTA is now the default minimum transaction unit of the exchange, and the current price is 0.267 USD / MIOTA). According to our historical experience, if the web parses and uses Cloudflare to provide service and its Cloudflare account permissions are controlled, then a perfect man-in-the-middle attack and implantation of malicious JavaScript can be possible. The Trinity desktop wallet is based on Electron. A perfect JavaScript execution environment. No exceptional unauthorized operations are required. JavaScript can perform everything the user or Trinity wallet can do, including theft of passwords and seeds, etc.
Since we are not like IOTA and the MoonPay official, they have sufficient log records to obtain the attack process completely, and we can only output the above speculations and analysis related through what we can reach. For the rest, we hope that the official can release the complete details and resume the mainnet as soon as possible.
We want to provide some necessary security views and suggestions here:
- Third parties can be evil, by default, they are not supposed to be trusted. In the process of software security development, must be alert to the dependencies on the third-party, including third-party components and third-party JavaScript links.
- Third-party CDN / WAF services such as Cloudflare are excellent and powerful, but if users do not securely manage their account permissions, their Web services will encounter perfect man-in-the-middle attacks
- A fatal flaw in the official wallet of the public chain may bring down a public chain. While on-chain security is concerned, off-chain security cannot be ignored. They are a whole, which is why we are concerned about the blockchain ecological security, Not just the on-chain security of the blockchain itself
- As a user of IOTA’s official wallet Trinity, follow the official instructions to complete the security hardening work as soon as possible, not much to say about this.
Note: Dominik Schiener, the co-founder of the IOTA Foundation, said: “The attack was made using MoonPay’s problematic JavaScript.「 The biggest mistake Trinity Wallet made was, not integrating the NPM application package and not appropriately performing security audits to the integration. 」 “From the perspective of a third-party independent security audit, we believe that this statement is not rigorous. In the history of the development of cryptocurrencies, the number of cases of cryptocurrency theft caused by third-party sources referenced in the NPM package are not rare. For example, the well-known “event-stream” incident.
Related Links:
Trinity Attack Incident Part 1: Summary and next steps
Trinity Attack Incident Part 2: Trinity Seed Migration Plan
