Report: GALA token exploit resulted from public private key leak on GitHub
It appears the private key leak caused a change of ownership in the compromised smart contract 70 days prior.
New
According to a new post from blockchain security firm SlowMist on November 7, it appears that last week's token exploit affecting the GameFi Gala Games project resulted from a public leak of the applicable security keys on GitHub . As SlowMist recounted, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB smart chain, had three privileged roles in its pGALA smart contract.
"The administrator role is used to manage upgrades and changes to the proxy contract administration address. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in logic (for example: MINTER_ROLE ), and the MINTER_ROLE manages the minting authority of the pGALA token."
SlowMist went on to explain that the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles are checked by pNetwork during initialization. Meanwhile, the proxy administration contract was an external address responsible for upgrading the pGALA contract. However, the company posted a screenshot alleging that the plaintext private key of the proxy admin's owner address was exposed and publicly visible on GitHub. Thus, any user with access to the private key could have manipulated the pGALA contract at any time. On August 28, the owner of the proxy administration contract was changed, leaving the protocol vulnerable to attack.
The Gala Games token bridge was exploited on November 3 after a single wallet address appears to have minted over $2 billion in GALA (GALA) tokens out of thin air and dumped them on the exchange decentralized PancakeSwap. Approximately 12,977 BNB (BNB), worth $4.5 million, were drawn from the liquidity pool.
Cryptocurrency exchange Huobi has allegedly...
It appears the private key leak caused a change of ownership in the compromised smart contract 70 days prior.
New
According to a new post from blockchain security firm SlowMist on November 7, it appears that last week's token exploit affecting the GameFi Gala Games project resulted from a public leak of the applicable security keys on GitHub . As SlowMist recounted, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB smart chain, had three privileged roles in its pGALA smart contract.
"The administrator role is used to manage upgrades and changes to the proxy contract administration address. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in logic (for example: MINTER_ROLE ), and the MINTER_ROLE manages the minting authority of the pGALA token."
SlowMist went on to explain that the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles are checked by pNetwork during initialization. Meanwhile, the proxy administration contract was an external address responsible for upgrading the pGALA contract. However, the company posted a screenshot alleging that the plaintext private key of the proxy admin's owner address was exposed and publicly visible on GitHub. Thus, any user with access to the private key could have manipulated the pGALA contract at any time. On August 28, the owner of the proxy administration contract was changed, leaving the protocol vulnerable to attack.
The Gala Games token bridge was exploited on November 3 after a single wallet address appears to have minted over $2 billion in GALA (GALA) tokens out of thin air and dumped them on the exchange decentralized PancakeSwap. Approximately 12,977 BNB (BNB), worth $4.5 million, were drawn from the liquidity pool.
Cryptocurrency exchange Huobi has allegedly...
What's Your Reaction?
