On February 12th an attack was launched by a Pool of Hackers who managed to break into some accounts of the Iota Trinity Wallet and take almost $ 2 million.
Before getting to the heart of the fraudulent act and how it was perpetrated, I will try to clarify the operating system of Iota, since the architecture of the system was not attacked but it happened through a third party flaw.
The peculiarity of the IOTA Foundation is its transaction validation system to be written on the DLT (Distributed Ledger Technologies).
To obtain the validation of any cryptographic transaction we rely on the method of the Byzantine Generals; that is consensus: when the majority of nodes agree on a possible solution to the problem, we write the block: therefore, the Blockchain is obtained thanks to the Game Theory.
The main cryptocurrency that uses this system is Bitcoin and as we all know it uses a large amount of energy.
Not only that, the calculations to be made also imply a slowness in evasion, consequently there is a limit in the number of operations that can be recorded in the unit of time (about 7 per second).
The intrinsic feature described above is called Scalability and is one of the limiting factors to Bitcoin's Mass Adoption
Pay attention: this feature was designed by the Nakamoto Team, to give greater security to the system and be able to make it decentralized in all respects.
The Nakamoto Team has in fact created a decentralized system, as in order to subvert the system, it would be necessary that at least 51% of the Miners' computing power be managed by a single Team: in that case incorrect operations could also be validated .
As I mentioned, Iota uses a different system, which is called a Direct Acyclic Graph.
In simple terms, if you start from a vertex, following the path, you never go back to the starting point: this is because the vertices are connected by a line with a direction and a direction.
In the figure you see an example of the graph.
Iota's developers follow this principle: I create my own transaction and in doing so I validate two Random transactions before mine.
My transaction is clearly not validated yet as a subsequent transaction is needed to execute it.
In doing so, Iota was able to eliminate the presence of the Miners, as my transaction will validate two previous transactions.
In this post I am going to go in depth on the Iota Tangle.
In order to understand where the flaw was, Iota Foundation deactivated the Mainnet, blocking the validation of all transactions.
So, it has become clear that the Coordinator makes Iota centralized.
But let's see what happened.
Iota has entered into a partnership with another company, MoonPay, which gives the possibility to purchase Miota directly from fiat currency without too many checks.
To do this, MoonPay created Seed (Wallet recovery phrases) bypassing 2FA (Two Factor Authentication) and KYC (Know Your Customer) confirmations.
And here the ground is fertile for evildoers!
The attack was planned a long time in advance: it began almost concurrently with the launch of the Partnership.
This is because the hackers had to be able to get into the stream and then find the flaw.
The hackers managed to sneak into MoonPay's algorithms and inserted the wrong SDKs (Software Development Kits).
In doing so, a user installed the unofficial application that was previously modified by the hackers, giving the mean gateway the full possession of the seeds.
The extremely important thing that emerges from this bad story is a lesson that we all need.
Safety is never too much and even if we may find processes like KYC boring, they have been set up in order to protect us.
Secondly, when we make a purchase we must be very vigilant, I'll give you an example.
To buy any object, we gather information, we verify, and when we have an idea that the product can satisfy our needs, we proceed with the purchase. Usually we also keep the packaging receipt and everything that allows us, one day, to comply with the warranty terms.
When we buy cryptocurrency, the procedure must be the same: we cannot rely on a third party operator who allows us to bypass extremely delicate processes (see KYC, 2FA or others).
I recommend that the purchase of cryptocurrency is performed directly from the site (which can be the owner of the coin or an Exchange) and not through shortcuts (private resellers, secondary website applications and so on).
We take all the steps that allow us a certain security and, why not we can also make a profit: if we are attentive to the market, we can place the purchase in a favorable position!
Pay attention of safety instead of paying the cost of consultants for the recovery of what is lost or stolen.
That's a lot of money that was taken. I hope something like this never occurs again