What the 2020 MoonPay Hack Taught the Crypto Industry | Hacker Noon

Author profile picture

@axAx Sharma

Security Researcher, Engineer, Tech Columnist | https://hey.ax/

What was the mistake of a startup, cost another business $2 million! In February 2020, we learned that MoonPay, a relatively new cryptocurrency company was hacked. Interestingly, this cost IOTA and their customers a fortune!

IOTA, which is “the first distributed ledger built for the Internet of Things” had been relying on MoonPay’s infrastructure to provide features related to their cryptocurrency wallet called Trinity.
In an interview with CoinTelegraph, David Sønstebø, the founder of Iota said, “The hack itself was on MoonPay’s infrastructure, but due to the way it was integrated into the Iota wallet, there was a vulnerability that was exploited by the hacker. The total amount of iotas siphoned out of accounts [was] 8.52 Ti.”

MoonPay describes itself as “The new standard for fiat to crypto. We build developer tools to make cryptocurrencies accessible to everyone.”

And, things are looking pretty bright for MoonPay. This month, the company announced they’d be providing “direct access to Apple Pay, Samsung Pay, Visa, Mastercard & other payment processors” in over 160 countries.


At the time of the IOTA hack, MoonPay had inadequate security controls and factors on IOTA’s end like “release pressure and human error,” are what led to this breach.

A detailed analysis by IOTA shared on their blog traced back the issue to MoonPay’s SDK hosted on a Content Delivery Network (CDN), subject to potential abuse by hackers.

Although MoonPay, at IOTA’s request, did provide a Node.js module that would mitigate such security risks potentially arising from their CDN infrastructure, it was done towards the end of the integration process, which caused an oversight of the security issue.

“At the time of its integration into Trinity, Moonpay was only available as bundled code delivered by a CDN, so the IOTA Foundation integrated it as such. Although widely used in web technologies, CDN delivery has inherent risks. One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected,” explains the blog post.

“The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) module to mitigate it. This was later published by MoonPay, after most of the integration work had already been done, but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch.”

“This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases,” the post further explained.

Regardless, it was IOTA that took the responsibility for the breach and the appropriate steps and action in compensating the victims of the breach.

The takeaways

Although Iota’s founder has been magnanimous in taking responsibility and personally volunteering to offer compensation to the victims of the breach, the following best practices could help save your business from mishaps like these.

Vet your partners carefully

Just because a solutions provider or a potential corporate partner is new in the market isn’t an automatic disqualification. Had businesses not giving startups a chance, we’d have none left in the game!

However, it doesn’t hurt to vet your partners properly and ensure they adhere to proper industry standards when it comes to basic security practices.

In working with MoonPay, IOTA overlooked performing security audits of their infrastructure due to the pressure of releasing a working product fast. A thorough security audit and pen-testing would have revealed any security vulnerabilities lurking in the CDN.

Ignoring best practices can backfire, as we saw in this case.

Perform thorough security audits

…of your own infrastructure, and your partner companies!

To the previous point, postmortem analysis of the breach demonstrates the vulnerability existed in the CDN. Attackers had altered the CDN code on the MoonPay’s infrastructure with malicious code which was then loaded by IOTA’s systems.

“Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their CDN) when a user opened Trinity,” the blog post explains.

“The code was loaded into the local Trinity instance, and, after the user’s wallet was unlocked, decrypted the user’s seed and sent the seed and password to a server controlled by the attacker. Before transferring tokens out, the attacker awaited the release of a new Trinity version, which would overwrite Trinity’s cache files and thus remove the remaining traces of the hacker’s exploit. With this realization and code samples in hand, the IOTA Foundation immediately filed a report with the Berlin Police Cyber Division.”

History has shown us even those companies who constantly brag about “taking users’ privacy and security seriously” get breached all the time, despite their best efforts.

This means, while the integration aspect of business and expanding your company might be important and have stringent deadlines, doing so at the risk of a potential security trade-off is really taking chances, in today’s world.

FinTech is a high liability industry

Data leaks and breaches are already an everyday nuisance for digital businesses. But when you are dealing in cryptocurrency or FinTech, you are not only the guardians of people’s data but their real money! And that can get ugly fast.

The MoonPay-IOTA integration fiasco led to IOTA having to compensate $2 million to their customers who were the victims of this breach.

Data breaches already bring with them lawsuits and hefty fines, especially if GDPR applies to your business. However, data breaches involving financial loss to the customer are two times the trouble.

When stepping into FinTech, already a highly regulated industry, be sure to check all the boxes, have regular security audits of your systems, and have all kinds of insurance policies you can possibly get.

Accept responsibility when things go wrong

I cannot stress less, the responsibility demonstrated by IOTA leadership is commendable. As opposed to pointing fingers, the founder himself stepped up to pacify the situation by offering a solution that’d make everyone, including MoonPay happy.

IOTA’s founder, Sønstebø himself paid $2m to the victims of the breach, although this might be regarded as questionable in the business world.

“It’s quite simple: I did not start Iota with the goal of making myself or my co-founders rich. This is why we are the only project to not have a pre-mine or special allocation of tokens of any sort; Iota is truly grassroots,” Sønstebø said in the CoinTelegraph interview.

He continued, “It will cost around ~2 million USD. This is definitely a lot of money, but if my primary motive was money I have had ample opportunity over the last 2 years to maximize my profits. I have not. For me, the chief goal is to build this future, based on our vision. Hopefully, the culprit will be held accountable one day and the funds recovered. The chances are low, but we did it once before.”

In conclusion, the various lessons learned in this case can help both established FinTech companies and newer startups in understanding the risks from trading off security in the favor of faster releases, and how can these issues be prevented.


The Noonification banner

Subscribe to get your daily round-up of top tech stories!

read original article here