Steps to reclaim funds after the Agama incident

User Support Guides
1

On June 5, the Komodo Security Team swept funds from vulnerable wallets to safe addresses. These funds are now under the control of the Komodo team, and we would like to proceed with procesing the claims as soon as possible.

If you have not filed a claim yet, please take the steps described in the linked article.

The Schedule of Processing Claims

First, we are going to process claims where the amount is not greater than 7777 KMD, then we will proceed with the larger claims.

To qualify for early processing:

  • your claim needs to be uncontested, and must have been swept by the team to the safe address;
  • you need to have filled out the form (link);
  • you will need your old compromised private key to prove you had control of the address.

If all of the above three conditions are met, and your claim is not greater than 7777 KMD, we aim to get them processed before June 15th.

We believe the vast majority of the claims fall into this category. We will use the blockchain to prove that the repayment has been made.

After this first phase of repayments, the number of claimants will be much reduced, but there will still be a large chunk of KMD left to payout.

In the second phase, will deal with swept funds that are big, but are uncontested. Make sure to fill out the form ASAP.

In the third phase, we will deal with funds that were stolen and not swept by the Komodo team. At that point, all that will be left are the disputed addresses, which will be dealt with on a case by case basis.

Our goal is to complete all phases other than the dispute resolutions by the end of this month.

The refund Process

We will use a three-step process for processing claim:

  1. A special transaction will be sent to your compromised address. It will be for a fraction of a KMD.

  2. You need to send all the funds from the compromised address to the destination address you specified in the form.

  3. IF and only IF, your address has no disputes, or contradictory claim info, and the proper destination address receives the special payment, a refund tx will be made to the destination address specified in the form. This does not happen automatically (we double-check every claim), so we kindly ask you to be patient. At this point, your claim is already under review and you will be refunded as soon as possible.

What do you need to do?

If your claim qualifies for early refund, please check to see if you have received the special transaction. Then make sure you send all the funds to the re-claim address you specified on the form.

If you didn’t get a special tx, that means your address is under dispute, you have filed too many claims, or the amount of KMD does not match. Claims with conflicting information will be done after the easy cases are processed.

What does the transaction you received mean?

The transaction sent to your compromised address will look like this on a blockexplorer: https://kmdexplorer.io/tx/f9073cf80b8bc19c7812bb643aa1c1a6e63c2496baf877e62d92461ea7f56192

ryrvkxoAsb67-iLmP7SQsdnedwZs_8IsYw
ryrvkxoAsb67-iLmP7SQsdnedwZs_8IsYw1732×651 58.1 KB

In the above transaction, there are 3 addresses and 3 payments done.

The three addresses:

  1. R9JCEd6xnCxNUSpLrHEWvzPSh7CNXm7z75 (The address sending the transaction)
  2. RF8MWcLGtvd87o2XCrnngGzUHrVpuUihgE (A compromised Address)
  3. RWXL82m4xnBTg1kk6PuS2xekonu7oEeiJG (A marker address controlled by the team to keep track of the refund; more about it later)

The three payments:

  1. R9JCEd6xnCxNUSpLrHEWvzPSh7CNXm7z75 to RF8MWcLGtvd87o2XCrnngGzUHrVpuUihgE (0.00053034 KMD)
  2. R9JCEd6xnCxNUSpLrHEWvzPSh7CNXm7z75 to RWXL82m4xnBTg1kk6PuS2xekonu7oEeiJG (0.0002 KMD)
  3. R9JCEd6xnCxNUSpLrHEWvzPSh7CNXm7z75 to R9JCEd6xnCxNUSpLrHEWvzPSh7CNXm7z75 (Some change, not relevant to the discussion)

Explanations:

  • The first payment is a confirmation from us that the address was compromised, and we swept its balance to a safe address controlled by the team.
  • The amount sent in the first payment: 0.00053034 KMD encodes the refund amount too, just subtract 0.0002 KMD from it and multiply by 100000000. So (0.00053034 KMD - 0.0002 KMD)x100000000 = 33034 KMD is the amount we were able to move from the address .
  • The second payment is to an address we control: RWXL82m4xnBTg1kk6PuS2xekonu7oEeiJG. This payment will be spent by us in the transaction that returns the funds to the new secure address submitted by the user. This way, by just looking at the second payment’s spent status ( U means Unspent; S means Spent) the user can know if the funds have been sent to their new address.
  • Please ignore the third payment; it is just change being sent back to the original address that initiated this transaction.