A very serious vulnerability has just been found in Komodo’s wallet that would allow hackers to steal user funds. Komodo (KMD), a fork of the Zcash blockchain, is a privacy coin that allows users to shield their transaction details to keep transfers private.
The vulnerability was so severe and the likelihood of exploitation so high that when Komodo’s leadership team discovered the vulnerability, they decided to take immediate action to protect their users.
So to pre-empt a potential outside hack, they used the same vulnerability to gather up 8 million KMD and 96 BTC from user wallets and deposit these coins into a secure wallet controlled by Komodo.
Essentially, Komodo stole its users funds to protect them from being stolen by others.
Let that sink in for a moment.
At current prices, that’s $11.84m of KMD and $750,000 in Bitcoin pulled out of wallets and held for “safe-keeping”.
This would be like if your insurance company inspected your house and found that your back door was unlocked. But rather than just reporting this to you, you come home to find that they’ve come in, changed the locks and locked you out of your own house.
You might be “safe” because of it, but now you’re wondering who is the real threat.
As you can imagine, this hack brings forward a number of severe governance questions.
Did Komodo’s leadership do the right thing?
Should Komodo have left the funds to be potentially stolen by hackers?
Old school advocates would likely argue that “Code is Law” and that Komodo violated its users’ rights. The funds held in wallets were not under Komodo’s custodianship and they had no legal or moral right to touch those funds.
Conversely, others in the crypto community may be appreciative that the project took action to protect its users. Would it have been better to let hackers take the coins?
Rights vs. protection. It’s the classic debate, and the same question that led to the ETH and ETC split.
Either way you stand, it’s going to take a massive effort to repair Komodo’s hard-fought reputation. I am rooting for Komodo to fix this and recover, but it will not be easy.
First, Komodo’s leadership team must figure out how to re-allocate the 8M KMD to its rightful owners. And so far, how it plans to do this is unclear.
As a final comment, Insiders should note that as of today, KMDs price has barely moved. This indicates that most industry participants have no idea of what happened— with the vulnerability or the leadership team’s response.
This highlights the HUGE information asymmetry faced by the industry. A strong reminder that if you want to participate in this industry it is essential that you really live and breath crypto. Things are changing all the time, and if you don’t keep up you could lose everything.