NOTE: This announcement was initially made around 5th June 2019 when the Agama security incident took place.While the content accurate and relevant at that time, most of the download links and recommendations might be deprecated by now. If you have any questions, please join us on the Komodo Discord to talk to our community.
On Wednesday the 5th of June, the Komodo team was made aware of an issue with the Agama wallet that potentially put some user’s funds at risk. Details and a timeline of events will be published once the necessary steps have been taken to secure funds and fix the problem.
After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details.
If you have used Agama, we strongly recommend moving all funds (Komodo, assetchains and other coins linked to the same seed / private key) to a new address as soon as possible.
To check the balance of funds linked to an address, enter it in the form at Dexstats Dashboard - AtomicDEX Asset Overview
An advisory about which wallets are affected, and the ones that are safe:
Unsafe:
-
All versions of Agama Wallet downloaded from Komodo’s official website
-
Agama mobile (Android and IOS)
Preferred:
-
- Ledger Hardware wallet (Make sure the Ledger seed hasn’t been input in the above mentioned unsafe versions of Agama)
Third Party wallets (Some of them are closed source, which is not ideal, but they can be used to move funds to a new address if necessary):
-
Chameleon
-
https://play.google.com/store/apps/details?id=com.chameleon.wallet
-
https://itunes.apple.com/us/app/chameleon-pay/id1453863654?ls=1&mt=8
-
Magnum
-
Pungo
-
Guarda
-
Zelcore
-
Coinomi
Options to Generate new address quickly?
Use Verus version of Agama
-
Direct link - Release PBaaS Cross-chain Technology Preview May 29 2019 · VerusCoin/Agama · GitHub
-
Start KMD Lite mode
If there are any “connection errors” or “get_balance errors”, follow this guide and disable proxy: https://support.komodoplatform.com/solution/articles/29000029569-how-to-stop-agama-from-using-a-proxy-server-to-access-electrum-servers/ -
Create a new seed which will generate a new address that is compatible with KMD and all assetchains.
-
Use this link for steps to create the new address - https://support.komodoplatform.com/en/support/solutions/articles/29000029948-create-new-address-in-lite-mode-with-verus-agama
-
Keep the seed safely backed up (make a note of that address)
-
If you need to move funds, you can log in with an existing private key or seed using this guide - https://support.komodoplatform.com/en/support/solutions/articles/29000029966-logging-into-verus-agama-with-an-existing-private-key and then send funds to your new address
-
If you are unsure what your private key is, follow this guide - https://support.komodoplatform.com/en/support/solutions/articles/29000024495-export-private-key-wif-from-a-wallet-seed-or-pin-password
Alternatively, use native mode (ideally from Command line interface (CLI) )
- Download bootstrap from here if you like Dexstats Dashboard - Bootstraps
- You don’t need to be sync’d to create a new address.
- Windows command line guide here - https://support.komodoplatform.com/en/support/solutions/articles/29000029929-creating-a-new-address-via-command-line-interface-cli-in-windows
- Use the commands below to generate an address and get its private key
- HTML
komodo-cli getnewaddress
- HTML
komodo-cli dumpprivkey <your R-address>
Use Komodo Ocean Wallet
- Download guides here -
Install Komodo Ocean wallet on Linux
Install Komodo Ocean wallet on Mac
Install Komodo Ocean Wallet on Windows
Use coinbin
- Komodo Coinbin
- Note this method may not be optimally secure as it’s web-based
How to send funds to the new address?
The new address can store all Komodo assetchains linked to it, even if the wallet you are using does not display those coins. Make sure to backup the seed / private key. As long as you have these safely stored, you can access your funds later.
Use the Verus version of Agama to send funds out. If experiencing SPV connection issues or coin not listed, try an alternative below.
- Use this guide to create and sign a raw transaction (use an offline computer) and broadcast it online
- https://support.komodoplatform.com/en/support/solutions/articles/29000026631-sign-transactions-offline-and-broadcast-online-using-agama
- Use an offline computer to generate and sign the raw transaction, then copy the signed transaction hex and broadcast it online
- If you need to move ETH/ERC20 tokens, you need to use the agama seed to create an ETH style private key. Use the privatekey in any ethereum wallet and move the funds out of there to a new Ethereum wallet created. Instructions are available here: https://support.komodoplatform.com/en/support/solutions/articles/29000029942-get-an-ethereum-private-key-from-agama-
- If you need to move CHIPS, follow this guide: https://support.komodoplatform.com/support/solutions/articles/29000029965-moving-chips-to-a-new-address
- For moving coins on asset chains that aren’t supported by Verus Agama yet: https://support.komodoplatform.com/support/solutions/articles/29000029971-launching-pirate-rfox-and-other-assetchains-in-komodo-ocean-mac-
If you are missing funds and see the funds went to this address “RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF” (KMD) or “1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk” (BTC) at the end, please complete the appropriate form for your Coin Name, from the list below to claim your funds. This address is a safe address where the Komodo Security team moved coins from all the vulnerable seeds to protect users.
Existing claims are OK and please DONT resubmit same claims again. We will contact you if we need more information.
Use the below forms ONLY for NEW Claims.
- KMD - https://forms.gle/giVXjRKJ5ThSWvxRA
- BTC - https://forms.gle/M3ohdCQ3Mj4c3zAa6
- JUMBLR - https://forms.gle/bTKXBvgddWb1dvCT9
- DEX - https://forms.gle/7jXHQRzpAoHaNPoP7
- SUPERNET - https://forms.gle/nMpKH1q3CAXoiAiY6
- REVS - https://forms.gle/GiXswCcj7Ri1pMvf9
- MSHARK - https://forms.gle/9c9J4hv9DgmpHwUDA
- HODL - https://forms.gle/iAjV48rL9PyuUCjd7
- PANGEA - https://forms.gle/X8siminsVZmsvYsy5
- BET https://forms.gle/pnpj9md1wVntTkaw5
- BOTS - https://forms.gle/FxSZ3gYrDBY1fDYh6
- MGW - https://forms.gle/ggu5tvMAkJfu1qn19
- CRYPTO - https://forms.gle/Xk6wAkcMyf3P93UA9
- VRSC - https://forms.gle/S34SKrX2rnRw1gCPA
- CHIPS - https://forms.gle/xTGbFdavvitJhjff7
- HUSH - https://forms.gle/M9ZQp7vthe8ZrVHi6
Please don’t use the old form anymore.
If you have filled the form already, please read the linked article to learn more about the refund process.