Protecting User Tokens and Rebooting the Coordinator
The full article was originally published by the IOTA Foundation on Medium. Read the full article here.
On February 12, 2020 the Trinity wallet was attacked via a third-party dependency from Moonpay, which resulted in the theft of around 8.55 Ti in IOTA tokens from a total of 50 user accounts. On the same day, the Coordinator was halted to protect Trinity users’ tokens and prevent further thefts. The IOTA Foundation built a new tool to allow users to protect their tokens by migrating to a new, safe account. The migration period (29th Feb — 7th March) is now over and the Coordinator has been resumed.
We continue to work with the FBI, as well as the UK, German, and Maltese police to identify and track the attacker. With the restart of the Coordinator, we are together actively monitoring for any suspicious activity.
If you used Trinity between 17th Dec 2019–17th Feb 2020 and you have not migrated your seed during the migration period, make sure to create a new seed in Trinity and transfer your funds from your old seed.
The steps taken to protect user tokens
As the event unfolded, the IOTA Foundation decided to halt the Coordinator and thereby, stop value transactions. The Coordinator was put in place as a temporary security mechanism during the network’s maturation phase. By temporarily disabling this component we were able to ensure further tokens were not transferred out of compromised users’ wallets. We then provided users with a new tool to migrate their accounts to safety.
The migration tool allowed users to create a regular IOTA transaction that moved their tokens from their old account to a new, secure one. This was done in such a way that the migration procedure could not be compromised. Critical account information (the seed) never left users’ machines. Users were notified about the migration period on the 20th of February and given a period from the 29th of February to the 7th of March to migrate their tokens.
After the migration period, submissions were processed to ensure there were no conflicts. A conflicting migration would indicate that two individuals had attempted to migrate the same account, and an identity check (KYC) would be required to determine the rightful token claimant. A handful of conflicting submissions were created by users accidentally migrating the same seed twice, many of which reached out to us on Discord for advice on how to proceed. We have opted not to enforce KYC for that very small group and made the decision to accept the latest instance of those conflicting submissions.
This means that there was no need to carry out a global ledger snapshot — a simpler and more preferable outcome. All migration submissions would then be validated and confirmed by the nodes of the network so that all users that migrated would see the tokens successfully transferred to their new account shortly after the Coordinator restart.
We want to thank the community again for their patience and cooperation during this period.
If you did not manage to migrate your seed, please refer to our documentation on how to protect your account.
Role of the Coordinator & future development of the IOTA protocol
The Coordinator was, from the very beginning of its existence, designed to be a temporary safety mechanism for the IOTA network. It allowed us to launch the network early and focus on researching and developing novel consensus mechanisms. The effort to remove the Coordinator from the network by developing our new consensus mechanism was later named and announced as Coordicide.
Coordicide has been progressing at a steady pace. The IOTA Foundation released an updated whitepaper in January 2020, and the first version of the Coordicide alphanet in early February 2020. Subsequent versions of the alphanet (GoShimmer) will follow in the upcoming months. Research and development towards Coordicide is an open effort, to which anyone can contribute. All actively researched details can be found on the IOTA Cafe discussion forum.
Key Learnings & Takeaways
Many have been critical about the Coordinator as a centralized component in the IOTA network. Despite this, we wholeheartedly stand by our decision to implement this key safety feature. With the Coordinator in place, the IOTA Foundation was able to protect user tokens and prevent further thefts. Through caution, we have chosen the path of progressive decentralization. Full decentralization remains our primary goal.
This incident underlines the importance of deeply stringent software security practices and is an event that others should learn from, as we have done ourselves.
The IOTA Foundation is overhauling its internal processes, with upcoming changes to software security practices, improvements to our security capabilities and resources, and expansion of our efforts in education and best practices for any software that handles user accounts on the IOTA network.
As a non-profit Foundation, our main objective is to be one of the most trusted organizations in our industry. We will continue to strive for absolute transparency across all aspects of our research and development, instilling open governance within our software development cycle and instigating a heavily-vetted contribution and release process. Over the coming weeks, we will communicate the progress we make in our security practices and software development processes.
You can read more about the timeline of events, the details on the attack and more in the following posts:
- Part 1 summarizes the series of events that led to the attack and the measures taken by the IOTA Foundation. You can read it here.
- Part 2 is the seed migration plan put in place to protect users that might have been affected by the attack. You can read it here.
- Part 3 offers a detailed overview of key learnings, takeaways and measures that the IOTA Foundation will implement to ensure the highest security standards for all of our software development. You can read it here.