On March 6, David Sønstebø, the founder of Iota, revealed that he will personally fully repay all 46 victims of last month’s Iota hack to the tune of 8.52 million MIOTA — worth roughly $1.97 million at the time of writing.
Cointelegraph spoke to David directly, who confirmed that he will reimburse all affected users from his own pocket, and that the Iota Foundation remains on track to relaunch the network on March 10th.
Cointelegraph: We're seeing posts being passed around which indicate you're considering paying back the people affected by the recent Iota hack out of your own personal funds. Could you confirm that these statements are authentic?
David Sønstebø: The messages on Iota's Discord are indeed authentic.
CT: Can you give a brief overview of the hack and the events leading up to it? e.g. How many Iota were stolen?
DS: The hack itself was on MoonPay's infrastructure, but due to the way it was integrated into the Iota wallet, there was a vulnerability that was exploited by the hacker. The total amount of iotas siphoned out of accounts were 8.52 Ti.
CT: How many Iota users were affected in the hack? Do we know how many individual wallets were stolen from?
DS: 46 individuals were directly affected by the attacker, due to swift action (including turning off the Coordinator) by the Iota Foundation, we were able to prevent the attacker from stealing from more people. Two of the users had multiple seeds, so around 50 individual wallets.
CT: What led to you deciding to reimburse users from your own personal funds? Were other options considered? How much will this cost you?
DS: It's quite simple: I did not start Iota with the goal of making myself or my co-founders rich. This is why we are the only project to not have a pre-mine or special allocation of tokens of any sort; Iota is truly grassroots. Our goal is to build the world's first truly decentralized, scalable, and fee-less DLT to catalyze a secure autonomous future and permissionless innovation in a plethora of industries. We are closer than ever to achieving precisely the goal we set out to reach several years ago. Thus, I chose to use my personal holdings (which I haven't touched in 2 years) to safeguard the Iota Foundation's runway. This way we can continue delivering on this ambitious goal unperturbed. I want to emphasize that no individual inside the organization is at fault for this, and that I have never been more proud of the team we have built than now. It will cost around ~2 million USD. This is definitely a lot of money, but if my primary motive was money I have had ample opportunity over the last 2 years to maximize my profits. I have not. For me, the chief goal is to build this future, based on our vision. Hopefully, the culprit will be held accountable one day and the funds recovered. The chances are low, but we did it once before.
CT: What would you say are the lessons you have learned from the experience?
DS: It has been a powerful reminder to never compromise on security under any circumstances. This MoonPay vulnerability emerged due to the Iota Foundation attempting to deliver on all fronts, including building one of the best wallets in the space. In retrospect, we should have done a lot more due-diligence and had stricter auditing procedures in place, and simply more patience. I can assure you that this oversight won't repeat itself and IF has already set up further engagements with 3rd party auditing firms, as well as hiring more security specialists to [the Iota Foundation].
CT: Do you have any advice for small developers regarding ensuring security?
DS: “Only the paranoid survive” is a good phrase to adhere to when developing software. Beyond that, my advice would also be to never give up; everyone f***s up now and then, it's all about how you respond to the situation and the lessons you carry with you as you continue.
CT: What can we expect from Iota in the coming months?
DS: The Iota project and Iota Foundation is thriving and moving at a faster pace than ever before on all fronts. There are significant updates to the protocol around the corner, known as Chrysalis. We are also partnering up with numerous entities to streamline Iota's path towards mass-adoption. In fact, on the day of this attack, we launched Tangle EE, which was somewhat overshadowed by this unfortunate incident. It is something anyone with an interest for DLT ought to check out.
CT: Is Iota still on track to relaunch the network on the 10th of March?