A security-related bug has been identified in Firefly Shimmer Wallet. What is particularly causing criticism: The bug has been known since the debut of SMR, but the IOTA side project has not yet fixed it.
The IOTA side project Shimmer (SMR) has only just rejoiced over an overall successful launch – when the mood is already disturbed by a security-relevant error in the associated Firefly Shimmer Wallet. Shortly after the launch of Shimmer, a user reported the error in detail in the corresponding IOTA forum on Github, but the developers have not yet found the time or a way to solve the urgent problem. Now the well-known IOTA critic “Buffy” has made the matter public via Twitter.
Specifically, the issue is that the version of the IOTA Firefly Wallet released specifically for Shimmer may misrepresent the amount of SMR in transactions. For example, you would think you were sending 1.04 SMR – but you were actually transferring 104 Shimmer. The problem occurred when interacting with a Ledger hardware wallet and the IOTA trading platform Soonaverse. “Buffy” sees the reproducible error as a gateway for theft and accuses the developers of gross negligence when programming the module.
Now “Buffy” has long become an irritant in the IOTA community with her criticism. But in terms of content, she has also succeeded this time in putting her finger in a wound. Because a bug in new software like the Firefly Shimmer app can of course occur, but it should then be eliminated quickly and communicated transparently. This did not happen in the current case. Only startled by her tweet, the developers upgraded the problem in priority. No comment was initially heard from Shimmer, the IOTA Foundation or Soonaverse.
Conclusion: First setback for Shimmer – was the launch of SMR premature?
From the perspective of investors and users of the Firefly Shimmer app, the security problem is real, even if it seems to partially only affect the German-language version of the wallet. After all, it actually offers attackers the opportunity to request an SMR amount and receive up to 100 times the amount of SMR the user thinks they are sending via the link for it. IOTA wallets have been under special scrutiny since Firefly’s predecessor, Trinity. A serious security issue with Trinity allowed hackers to prey on millions in February 2020 and provoke an emergency shutdown of the tanglenet for nearly a month. With this experience behind it, it is doubly incomprehensible why the Shimmer Firely wallet was apparently not tested thoroughly enough before launch and that the developers did not immediately try to fix the bug that has now become known.