Agama security announcement

NOTE: This announcement was initially made around 5th June 2019 when the Agama security incident took place.While the content accurate and relevant at that time, most of the download links and recommendations might be deprecated by now. If you have any questions, please join us on the Komodo Discord to talk to our community.


On Wednesday the 5th of June, the Komodo team was made aware of an issue with the Agama wallet that potentially put some user’s funds at risk. Details and a timeline of events will be published once the necessary steps have been taken to secure funds and fix the problem.

After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details.

:warning: :warning: :warning: If you have used Agama, we strongly recommend moving all funds :warning: :warning: :warning: (Komodo, assetchains and other coins linked to the same seed / private key) to a new address as soon as possible.

To check the balance of funds linked to an address, enter it in the form at Dexstats Dashboard - AtomicDEX Asset Overview

An advisory about which wallets are affected, and the ones that are safe:

Unsafe:

Preferred:

Third Party wallets (Some of them are closed source, which is not ideal, but they can be used to move funds to a new address if necessary):

Options to Generate new address quickly?

Use Verus version of Agama

Alternatively, use native mode (ideally from Command line interface (CLI) )

komodo-cli getnewaddress
  • HTML
komodo-cli dumpprivkey <your R-address>

Use Komodo Ocean Wallet

Use coinbin

  • Komodo Coinbin
  • Note this method may not be optimally secure as it’s web-based

How to send funds to the new address?

The new address can store all Komodo assetchains linked to it, even if the wallet you are using does not display those coins. Make sure to backup the seed / private key. As long as you have these safely stored, you can access your funds later.

Use the Verus version of Agama to send funds out. If experiencing SPV connection issues or coin not listed, try an alternative below.

If you are missing funds and see the funds went to this address “RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF” (KMD) or “1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk” (BTC) at the end, please complete the appropriate form for your Coin Name, from the list below to claim your funds. This address is a safe address where the Komodo Security team moved coins from all the vulnerable seeds to protect users.

Existing claims are OK and please DONT resubmit same claims again. We will contact you if we need more information.

Use the below forms ONLY for NEW Claims.

Please don’t use the old form anymore.

If you have filled the form already, please read the linked article to learn more about the refund process.