Rushing an SDK integration cost a crypto business $2 million!
In February 2020, we learned of IOTA’s Trinity wallet hack which cost the company a fortune.IOTA, which is “the first distributed ledger built for the Internet of Things” had been relying on a third-party infrastructure to provide features related to their cryptocurrency wallet called Trinity.In an interview with CoinTelegraph, David Sønstebø, the founder of Iota stated the hack itself had happened due to the way a third-party SDK was integrated into the Trinity wallet system. Due to this, “there was a vulnerability that was exploited by the hacker. The total amount of iotas siphoned out of accounts [was] 8.52 Ti.“
CDN or NPM?
At the time of the IOTA hack, factors on IOTA’s end like “release pressure and human error,” are what had led to this security breach.
A detailed analysis by IOTA shared on their blog traced back the issue to the partner-provided SDK hosted on a Content Delivery Network (CDN), which could have been subject to potential abuse by hackers.
Although IOTA’s partner MoonPay, at their request, did provide a more secure Node.js module that would mitigate such security risks potentially arising from their CDN infrastructure, it was done towards the end of the integration process, which caused an oversight of the security issue on IOTA’s end.
“At the time of its integration into Trinity, Moonpay was only available as bundled code delivered by a CDN, so the IOTA Foundation integrated it as such. Although widely used in web technologies, CDN delivery has inherent risks. One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected,” explains the blog post.
“The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) module to mitigate it. This was later published by MoonPay, after most of the integration work had already been done, but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch.”
“This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases,” the post further explained.
Regardless, it was IOTA that took the responsibility for the breach and the appropriate steps and action in compensating the victims of the breach.
Although IOTA’s founder has taken responsibility and personally volunteereed to offer compensation to the victims of the breach, the following best practices could help save your business from mishaps like these.
Vet third-party integrations carefully
Just because a solutions provider or a potential corporate partner is new in the market isn’t an automatic disqualification. Had businesses not giving startups a chance, we’d have none left in the game!
However, it doesn’t hurt to vet your partners properly and ensure they adhere to proper industry standards when it comes to basic security practices.
When performing SDK integrations with third-party partners, IOTA overlooked performing security audits of both their partners’ CDN and their own infrastructure due to the pressure of releasing a working product fast. A thorough security audit and pen-testing would have revealed any security vulnerabilities lurking in the CDN, and in IOTA’s integration of the SDK. Ignoring best practices can backfire, as we saw in this case.
Perform thorough security audits
…of your own infrastructure, and your partner companies!
To the previous point, postmortem analysis of the breach demonstrates the vulnerability existed in the CDN. Attackers had altered the CDN code on the MoonPay’s infrastructure with malicious code which was then loaded by IOTA’s systems.
“Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their CDN) when a user opened Trinity,” the blog post explains.”
The code was loaded into the local Trinity instance, and, after the user’s wallet was unlocked, decrypted the user’s seed and sent the seed and password to a server controlled by the attacker. Before transferring tokens out, the attacker awaited the release of a new Trinity version, which would overwrite Trinity’s cache files and thus remove the remaining traces of the hacker’s exploit. With this realization and code samples in hand, the IOTA Foundation immediately filed a report with the Berlin Police Cyber Division.
“History has shown us even those companies who constantly brag about “taking users’ privacy and security seriously” get breached all the time, despite their best efforts.
This means, while the integration aspect of business and expanding your company might be important and have stringent deadlines, doing so at the risk of a potential security trade-off is really taking chances, in today’s world.
FinTech is a high liability industry
Data leaks and breaches are already an everyday nuisance for digital businesses. But when you are dealing in cryptocurrency or FinTech, you are not only the guardians of people’s data but their real money! And that can get ugly fast.
The SDK integration error led to IOTA having to compensate $2 million to their customers who were the victims of this breach.
Data breaches already bring with them lawsuits and hefty fines, especially if GDPR applies to your business. However, data breaches involving financial loss to the customer are two times the trouble.
When stepping into FinTech, already a highly regulated industry, be sure to check all the boxes, have regular security audits of your systems, and have all kinds of insurance policies you can possibly get.
Accept responsibility when things go wrong
The responsibility demonstrated by IOTA leadership is commendable. The founder himself stepped up to pacify the situation by offering a solution that’d make everyone happy.
IOTA’s founder, Sønstebø himself paid $2m to the victims of the breach, although this might be regarded as questionable in the business world.
“It’s quite simple: I did not start Iota with the goal of making myself or my co-founders rich. This is why we are the only project to not have a pre-mine or special allocation of tokens of any sort; Iota is truly grassroots,” Sønstebø said in the CoinTelegraph interview.
He continued, “It will cost around ~2 million USD. This is definitely a lot of money, but if my primary motive was money I have had ample opportunity over the last 2 years to maximize my profits. I have not. For me, the chief goal is to build this future, based on our vision. Hopefully, the culprit will be held accountable one day and the funds recovered. The chances are low, but we did it once before.
“In conclusion, the various lessons learned in this case can help both established FinTech companies and newer startups in understanding the risks from trading off security in the favor of faster releases, and how can these issues be prevented.