I lost all my LSK on Exodus due to an exploit

Dear crypto HODLers,

yesterday I wanted to get rid off my LSK which I have kept for ages and wanted to trade them against CUB where I see way more potential.
When sending the LSK token over to Binance from my Exodus wallet, I got an error message and that I should rescan the LSK wallet. This didn´t help and also restarting Exodus, updating the version and rebooting the computer didn´t help. Also swapping the LSK against other cryptos wasn´t possible.

Cutting a long story short, the support from Exodus finally told me that apparently my Lisk address (and that of other customers) on Exodus was "uninitialized" which means it was never used to send out funds. And indeed, I had used that address only once, to send LSK from an exchange to Exodus because I - naivly - thought they would be save there!

I was never made aware that with a LSK address you need to send out token at least once to initialize it.

Why the need to initialize? Because - and now the crazy stuff starts - only after initalization (i.e. the first transfer out of a LSK wallet), a public key corresponding to the private key is generated. As long as an address is uninitialized, no public key for that address is known to the blockchain.

This amazing fact could be used for an exploit described here. Since a public key is 256 bit long but a Lisk address is only 64 bit long, there are many possible public keys to every private key, but they are still not easy to find. The economics of stealing uninitialized Lisk accounts is detailed here, in case you are interested. But I am not an IT nerd, I have just to accept the fact. My LSK - worth today app. 800€ - are gone for good 😩.

The most stupd part is that it would have taken only a minute to do such a transfer, but if you don´t know it you can´t do it.

Was it a hack? No, rather a - poorly communicated - design flaw.

BUT - Exodus should have been aware about that and have told their customers in advance about it, e.g. as an automatic response once a new LSK wallet is generated!

So I think they should take a part of the blame.
Instead, the support guy just offered his sympathies to my loss and highly recommended that for safety reasons I should create a new Exodus wallet. I.e. transferring all assets to a new interim wallet, deleting the old one and create a new one. What a hassle.

My trust in Exodus is slightly damaged (let alone LSK, I am done with them). Would you recommend a different desktop wallet?

image.png

H2
H3
H4
3 columns
2 columns
1 column
22 Comments