Report: GALA token exploit resulted from public leak of private key on GitHub

Published at: Nov. 7, 2022

According to a new post by blockchain security firm SlowMist on Nov. 7, it appears that the last week’s token exploit affecting GameFi project Gala Games resulted from a public leak of applicable security keys on GitHub. As told by SlowMist, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB Smart Chain, had three privileged roles in its smart contract pGALA.

“The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the MINTER_ROLE role manages the pGALA token minting authority.”

SlowMist went on to explain that both the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were controlled by pNetwork during initialization. Meanwhile, the proxy admin contract was an externally owned address responsible for upgrading the pGALA contract. However, the firm posted a screenshot alleging that the plaintext private key for the proxy admin owner address was exposed and publicly viewable on GitHub. Thus, any user with access to the private key could have manipulated the pGALA contract at any time. On Aug. 28, the proxy admin contract owner was replaced, making the protocol vulnerable to an attack.

The Gala Games token bridge was exploited on Nov. 3 after a single wallet address appeared to have minted over $2 billion in GALA (GALA) tokens out of thin air and dumped the tokens on decentralized exchange PancakeSwap. Around 12,977 BNB (BNB), worth $4.5 million, was drained from the liquidity pool.

Cryptocurrency exchange Huobi alleged the aforementioned activities were a scheme for profit orchestrated by pNetwork. The latter has denied such allegations, while also stating in its post-mortem analysis that “No funds loss happened on the GALA cross-chain bridge. All GALA tokens on Ethereum are safe.

1/2 We strongly condemn as untruthful Huobi’s accusations against pNetwork and we will seek legal action accordingly.We have documented proof showing that pNetwork has acted in good faith, that all actions were agreed upon in advance with GalaGames and that…

— pNetwork (@pNetworkDeFi) November 6, 2022
Tags
Technology
Blockchain
Cryptocurrencies
Defi
Hacks
Related Posts
‘DeFi done right’: Layer-one protocol launches mainnet
A decentralized finance protocol has launched its mainnet — describing it as a crucial step on the journey to a frictionless financial future. Radix, which describes itself as a platform for smart money, is also launching Instapass with its Olympia mainnet — an optional user and developer service that delivers the world’s first single sign-on solution for building compliant DeFi. The Radix mainnet is being positioned as a generational improvement in the history of decentralized ledger computing — and one that delivers 100 times more executional efficiency than the Ethereum Virtual Machine. This comes hot on the heels of the …
Decentralization / July 29, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Security firms are making it more difficult for scammers to get away with DeFi project hacks
The rise of community-oriented blockchain security companies may be making it more difficult for alleged bad actors to get away without a trace. Early Wednesday, CertiK issued a community alert regarding Flurry Finance, where its smart contracts were allegedly breached by hackers, leading to $293,000 worth of funds being stolen. Shortly after the incident, CertiK published the wallet addresses of the alleged perpetrator, the address of the malicious token contract, and a PancakeSwap pair address allegedly involved in the attack, leading to a warning issued on BscScan. While the firm audited the project's smart contracts, it appears that the exploit …
Adoption / Feb. 23, 2022
The development of blockchain industry and how to defend against attacks on DeFi
Nowadays, the blockchain market as a whole is in its infancy, and the decentralized finance (DeFi) market is its most promising part. According to DefiLlama data, in 2021, the DeFi market had around $200 billion of liquidity locked in smart contracts. If we view this capital as an initial investment, this market looks like a highly promising venture. Not too many global companies can boast of such a capitalization. But any young market has its teething problems. With DeFi, the main issue is a lack of qualified blockchain developers. This industry is very young and has a relatively small user …
Technology / July 3, 2022
Serum exchange rendered 'defunct' following the collapse of Alameda and FTX
The Solana-based decentralized exchange (DEX) has notified its community that the collapse of its backers — Alameda and FTX — has rendered its program “defunct”. The team behind the project shared that “there is hope”, in spite of its ongoing challenges, because of the community option available to "fork" Serum. What's next for @ProjectSerum With the collapse of Alameda and FTX, the Serum program on mainnet became defunct. As upgrade authority is held by FTX, security is in jeopardy, leading to protocols like @JupiterExchange and @RaydiumProtocol moving away from Serum. — Serum (@ProjectSerum) November 29, 2022 According to the announcement, …
Technology / Nov. 29, 2022