Report: GALA token exploit resulted from public leak of private key on GitHub

It appears that the leaked private key caused a change of ownership in the compromised smart contract 70 days prior.

According to a new post by blockchain security firm SlowMist on Nov. 7, it appears that the last week’s token exploit affecting GameFi project Gala Games resulted from a public leak of applicable security keys on GitHub. As told by SlowMist, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB Smart Chain, had three privileged roles in its smart contract pGALA.

“The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the MINTER_ROLE role manages the pGALA token minting authority.”

SlowMist went on to explain that both the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were controlled by pNetwork during initialization. Meanwhile, the proxy admin contract was an externally owned address responsible for upgrading the pGALA contract. However, the firm posted a screenshot alleging that the plaintext private key for the proxy admin owner address was exposed and publicly viewable on GitHub. Thus, any user with access to the private key could have manipulated the pGALA contract at any time. On Aug. 28, the proxy admin contract owner was replaced, making the protocol vulnerable to an attack.

The Gala Games token bridge was exploited on Nov. 3 after a single wallet address appeared to have minted over $2 billion in GALA (GALA) tokens out of thin air and dumped the tokens on decentralized exchange PancakeSwap. Around 12,977 BNB (BNB), worth $4.5 million, was drained from the liquidity pool.

Cryptocurrency exchange Huobi alleged the aforementioned activities were a scheme for profit orchestrated by pNetwork. The latter has denied such allegations, while also stating in its post-mortem analysis that “No funds loss happened on the GALA cross-chain bridge. All GALA tokens on Ethereum are safe.


About Author


Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0