Agama security announcement

On Wednesday the 5th of June, the Komodo team were made aware of an issue with the Agama wallet that potentially put some user's funds at risk.  Details and a timeline of events will be published once the necessary steps have been taken to secure funds and fix the problem.


After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details.


If you have used Agama, we strongly recommend moving all funds (Komodo, assetchains and other coins linked to the same seed / private key) to a new address as soon as possible.  



To check the balance of funds linked to an address, enter it in the form at https://dexstats.info/assetviewer.php 


An advisory about which wallets are affected, and the ones that are safe:


Unsafe:

- All versions of Agama Wallet downloaded from Komodo's official website

- https://www.atomicexplorer.com/wallet/#/

- Agama mobile (Android and IOS)


Preferred:


Third Party wallets (Some of them are closed source, which is not ideal, but they can be used to move funds to a new address if necessary):


- Chameleon

    - https://play.google.com/store/apps/details?id=com.chameleon.wallet

    - https://itunes.apple.com/us/app/chameleon-pay/id1453863654?ls=1&mt=8

- Magnum

    - https://magnumwallet.co/

- Pungo

    - https://pungo.app/

- Guarda

    - https://guarda.co/

- Zelcore

    - https://zel.network/project/zelcore/

- Coinomi

    - https://www.coinomi.com/en/


Options to Generate new address quickly?



Use Verus version of Agama

Alternatively, use native mode (ideally from Command line interface (CLI) )


Use Komodo Ocean Wallet


Use coinbin 


How to send funds to the new address?

The new address can store all Komodo assetchains linked to it, even if the wallet you are using does not display those coins. Make sure to backup the seed / private key.  As long as you have the these safely stored, you can access your funds later.


Use the Verus version of Agama to send funds out. If experiencing SPV connection issues or coin not listed, try an alternative below.



If you are missing funds and see the funds went to this address "RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF" (KMD) or "1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk" (BTC) at the end, please complete the appropriate form for your Coin Name, from the list below to claim your funds. This address is a safe address where Komodo Security team moved all vulnerable seed funds to protect the users. 


Existing claims are OK and please DONT resubmit same claims again. We will contact you if we need more information.


Use the below forms for ONLY for NEW Claims. 



Please don't use the old form anymore.


If you have filled the form already, please read the linked article to learn more about the refund process.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.