// New users can add only 2 links, so make some personal edits for full story, will edit when will get higher rating!
UPD: I got approval from a team that is well versed in this issue, so after a long wait and numerous allegations of fraud, we finally posted it here to prevent any other claims about our (dishonest, as some think) work in the future.
1. $1.3M Loss with MEMO and MNEMONICS
To understand the problem, you should check two articles - #1 on the loss of Amphibious Validator and #2 - on MightyFrog CTO’s report.
2. IBC - Potential Losses Leveraged
IBC is an incredible feature that allows the user to interact between different chains = keep all the assets of the all possible cosmos-based chains in one chain wallet (user side view is mostly based on our predictions).
Since we published our articles and provided a minimum viable solution (wasmywalletleaked. com) - will be detailed in the next section), we have detected such exploits (if you can call them that) on 5 networks (yet more to come) listed in the Network <> UsersAffected format:
Total Losses: $1.3M Estimated
Now let’s take only Akash. Due to the fact that the network very recently enabled IBC transactions, some satisfied users with “public” mnemonics may now be testing the new IBC features. EVEN if these users send $1 ATOM to the “lost” address, it means they will lose this $1 ATOM, but on the Akash network. This fact may lead us to say that it is “Potential Loss Leveraged”.
Whose fault is it? Exchanges, Wallets?
No, it’s the user’s fault, but we can improve the UX by providing some additional security measures.
At the moment of writing we already brainstormed a lot of solutions, so let’s divide them into 2 categories:
Solutions related to the return of funds from leaked wallets
- Sentinel Swap Page Linking Ethereum Wallet to Mainnet Wallet (this way we can prove that the user owns the mainnet address)
- Cosmos ICO Ethereum Wallet Coupling
- Any Cosmos-Based Chain that started with ETH and had ETH <> Cosmos Swap.
Solutions related to misunderstanding of MEMO / MNEMONICS by future users
- Change MEMO to NOTE - this way users will not mix MEMO and MNEMO (jargon for mnemonics used in the cryptosphere)
- MEMO field notification if MNEMONICS have been filled - (twitter. com/fadeev/status/1385913254258610177?s=21)
4. Our Contributions So Far
First of all, we’ve introduced a website (wasmywalletleaked. com/) to check if your wallet was exposed. We’ve scanned Cosmos, Persistence, CertiK, Akash & Sentinel blockchain networks and found wallets with tokens of total worth over $1,300,000. Go and check if your wallet is compromised.
We’ve delegated most of the available tokens of such wallets to reliable validators (less than $100) — to make sure no one is able to withdraw them from you without your consent. Tokens cannot be withdrawn unless the unbonded and unbonding period is long enough to take further actions and prepare to protect vulnerable wallets.
We’re preparing pull requests for wallet apps and etc. to make sure that MEMO parameter is changed to something less confusing and users are not submitting their mnemonics into it.
github. com/sentinel-official/desktop-client/pull/33 - first edit to be (hopefully) merged into main application of Sentinel Desktop Wallet
“Who Made This” list and “Thank You” list:
Many people helped us, starting with Sentinel Team, Zaki Manian, Jack Zampolin, Sunny97, Josh Lee (Keplr CEO), Roman (Making.Cash Validator), Кирилл (@antiborsh on tg - smart-ass Russian OG), Zdeadex, OmniFlix, Rodrigo Gaona, Cosmic Validator, Sistla Abhishek, Booyoun Kim and many more (sorry if someone is not tagged) ending with ordinary anonymous users in trollbox, but in the end, most of the work was done by 2 objects:
Mighty Frog Twitter: (twitter. com/mightylordfrog)
Solar Labs Twitter: (twitter. com/solarlabs)
Mighty Frog CEO’s Telegram: (t. me/mightylordfrog)
Solar Labs CEO’s Telegram: (t. me/alexlitreev)
Solar Labs Telegram Group: (t. me/solarlabs)
We are waiting for constructive feedback from users and owners of projects of wallets and exchanges, thanks in advance!