Misunderstanding by end users of MEMO and MNEMONICS, resulting in $1.3 million in losses

// New users can add only 2 links, so make some personal edits for full story, will edit when will get higher rating!

UPD: I got approval from a team that is well versed in this issue, so after a long wait and numerous allegations of fraud, we finally posted it here to prevent any other claims about our (dishonest, as some think) work in the future.

1. $1.3M Loss with MEMO and MNEMONICS

To understand the problem, you should check two articles - #1 on the loss of Amphibious Validator and #2 - on MightyFrog CTO’s report.

#1: https://link.medium.com/Sp0bzNJzMfb

#2: https://link.medium.com/ydP7MXHzMfb

2. IBC - Potential Losses Leveraged

IBC is an incredible feature that allows the user to interact between different chains = keep all the assets of the all possible cosmos-based chains in one chain wallet (user side view is mostly based on our predictions).

Since we published our articles and provided a minimum viable solution (wasmywalletleaked. com) - will be detailed in the next section), we have detected such exploits (if you can call them that) on 5 networks (yet more to come) listed in the Network <> UsersAffected format:

sentinel 34
persistence 22
certik 4
akash 6
cosmos 2
Total Losses: $1.3M Estimated

Now let’s take only Akash. Due to the fact that the network very recently enabled IBC transactions, some satisfied users with “public” mnemonics may now be testing the new IBC features. EVEN if these users send $1 ATOM to the “lost” address, it means they will lose this $1 ATOM, but on the Akash network. This fact may lead us to say that it is “Potential Loss Leveraged”.

Whose fault is it? Exchanges, Wallets?

No, it’s the user’s fault, but we can improve the UX by providing some additional security measures.

3. Solutions

At the moment of writing we already brainstormed a lot of solutions, so let’s divide them into 2 categories:

Solutions related to the return of funds from leaked wallets

  • Sentinel Swap Page Linking Ethereum Wallet to Mainnet Wallet (this way we can prove that the user owns the mainnet address)
  • Cosmos ICO Ethereum Wallet Coupling
  • Any Cosmos-Based Chain that started with ETH and had ETH <> Cosmos Swap.

Solutions related to misunderstanding of MEMO / MNEMONICS by future users

  • Change MEMO to NOTE - this way users will not mix MEMO and MNEMO (jargon for mnemonics used in the cryptosphere)
  • MEMO field notification if MNEMONICS have been filled - (twitter. com/fadeev/status/1385913254258610177?s=21)

4. Our Contributions So Far

  1. First of all, we’ve introduced a website (wasmywalletleaked. com/) to check if your wallet was exposed. We’ve scanned Cosmos, Persistence, CertiK, Akash & Sentinel blockchain networks and found wallets with tokens of total worth over $1,300,000. Go and check if your wallet is compromised.

  2. We’ve delegated most of the available tokens of such wallets to reliable validators (less than $100) — to make sure no one is able to withdraw them from you without your consent. Tokens cannot be withdrawn unless the unbonded and unbonding period is long enough to take further actions and prepare to protect vulnerable wallets.

  3. We’re preparing pull requests for wallet apps and etc. to make sure that MEMO parameter is changed to something less confusing and users are not submitting their mnemonics into it.

  4. github. com/sentinel-official/desktop-client/pull/33 - first edit to be (hopefully) merged into main application of Sentinel Desktop Wallet

  5. github. com/cosmos/cosmos-sdk/issues/9122

  6. github. com/cosmostation/cosmostation-mobile/issues/98

“Who Made This” list and “Thank You” list:

Many people helped us, starting with Sentinel Team, Zaki Manian, Jack Zampolin, Sunny97, Josh Lee (Keplr CEO), Roman (Making.Cash Validator), Кирилл (@antiborsh on tg - smart-ass Russian OG), Zdeadex, OmniFlix, Rodrigo Gaona, Cosmic Validator, Sistla Abhishek, Booyoun Kim and many more (sorry if someone is not tagged) ending with ordinary anonymous users in trollbox, but in the end, most of the work was done by 2 objects:

  • Mighty Frog Twitter: (twitter. com/mightylordfrog)

  • Solar Labs Twitter: (twitter. com/solarlabs)

  • Mighty Frog CEO’s Telegram: (t. me/mightylordfrog)

  • Solar Labs CEO’s Telegram: (t. me/alexlitreev)

  • Solar Labs Telegram Group: (t. me/solarlabs)

We are waiting for constructive feedback from users and owners of projects of wallets and exchanges, thanks in advance!

7 Likes

In addition to the above, cryptocurrency market for a long time needed some solutions to prevent users ‘shoot themselves in leg’, so the topic is the right way to develop any ecosystem safe for users first of all.
Just an interesting sing that Ripple solve such kind if problems renaming MEMO to an Destination Tag and making it numeric only (memos are alphabetical), which is just an workaround (IMHO).

3 Likes

Exactly, but still there are 100s of blockchains using this MEMO standard and MNEMO (jargon for mnemonics = private keys)

Main issue in all such problems as @Mighty_Frog mentioned is literally just miscommunication in naming conventions, I as former UX designer can say that this issue is wrong ‘memory recall’, so it’s slightly different from technical field.
@Stanley, yes XRP changed naming which should help, but coins losses in dosens of other transactions giving bad experience to users and even large investors.

1 Like

Exactly, as we said no wallets or exchange fault, just user

2 Likes

Same problem was before websites started to force people to create strong passwords

Respect Apple for their strong pass recommendations on web and some apps, might take this into consideration don’t know how

Heard about problems of fund losses due to typos in adresses, as one guy from reddit who send 3K BTC in a 2k15 to a somehow existing adress (probability 1 no 4 billions) so no one believed him, but the MEMO’s problem looks more wide spread.

Just a small reminder that Ripple had never an MEMO attribute, that was Destination Tag from the beginnig BUT users anyway submit there accounts password LMAO

1 Like

:rofl: @M_Everett God bless 2FA on my accounts, that actually helped me hold my funds from being stoled when YoBit where hacked at 2018

Actually concept described above looks promising, I would not surprised if that could became an actual standart for new ecosystems in a 2-3 years. Anyway seems like cosmos is opensorced so that could happen even faster.

Thought such stuff should regulated by default, but unlike any new tech it all go througt ‘way of try and failures’

Are you saying people are/have sent their seed phrase in the memo field of a transaction? If this is the case wallet apps should definitely take steps to prevent this if possible.