Breaking down the 219M Gala Games Exploit

TL;DR

On May 21, 2024, Gala Games was exploited on the Ethereum Mainnet, which resulted in the excess minting of 5 billion GALA tokens, which were worth approximately $219 million.

Introduction to Gala Games

Gala Games is a web-based gaming platform that also extends its arm to the music and film industries.

Vulnerability Assessment

The root cause of the exploit remains unknown or uncertain. Was it a private key compromise, a case of private key misuse by an insider, or perhaps even team involvement given the shady nature of some DeFi projects? This is all unclear.

Incident Analysis

We attempt to analyze the attack transaction executed by the exploiter.

The minting of this massive number of tokens can be directly correlated with the compromise of the private keys of the deployer or the administrator wallet.

The attacker then took to 0xProject to dump these tokens in chunks of 50 and 100 ETH.

The exploiter was able to swap 599 million GALA tokens for roughly 5,913.20 ETH, which are worth approximately $21.8 million. At the time of this writing, the wallet of the exploiter has a holding of approximately $206,737,478 worth of assets.

The affected Gala contract has a notBlocklisted modifier, allowing the deployer to have privilege access to restrict an address for interacting with the protocol.

modifier notBlocklisted(address _account) {
  require(!blocklisted[_account], "Account is blocklisted");
  _;
}

Two hours and 16 minutes after the exploit, as viewed in this transaction, the deployer has now added the address of the exploiter to the blocklist, effectively reducing the extent of the damage caused by the attack. Therefore, the actual loss of assets suffered by the protocol stands at $21.8 million. The excess of 4,401,236,462 GALA tokens will be burned by the team.

Aftermath

The team acknowledged the occurrence of the exploit and stated that the incident has been contained and the impacted wallet has been frozen. The exploit was an isolated incident, the cause of which has already been addressed, and the team is not closely working with law enforcement agencies to investigate the individuals behind the breach.

Eric Schiermeyer, the CEO of Gala Games, took to X (formerly Twitter) to highlight the details surrounding the incident. According to him, the Gala contract on the Ethereum Mainnet is guarded by a multisignature wallet, which was never compromised. This incident was the result of a loosely coupled internal control within the team.

Solution

In response to the Gala Games exploit, it is imperative to address the underlying vulnerabilities and implement robust security measures to prevent future incidents. The exploit highlights the critical importance of safeguarding private keys, as their compromise can result in severe financial losses. Implementing secure storage solutions is paramount, with hardware wallets being a recommended option for cold storage. These wallets keep the majority of assets offline, reducing exposure to online threats. For operational liquidity, a minimal amount of assets should be kept in hot wallets, protected by stringent security protocols.

Multi-signature wallets provide an additional layer of security by requiring multiple parties to authorize transactions. This significantly mitigates the risk of unauthorized access due to compromised keys. Regular security audits and vulnerability assessments are essential to identify potential security gaps and ensure that private key management protocols remain secure and up-to-date.

The Gala Games team must also focus on continuous education and vigilance against phishing, social engineering, and malware threats. Regular security training for team members on the latest threats and secure communication practices can substantially reduce the risk of such attacks. Keeping software, including wallets and security tools, updated is crucial for defending against known vulnerabilities.

Despite the existence of blacklist functionality in the Gala Games protocol, the team took over two hours to restrict the attacker’s access, by which time significant damage had already been done, resulting in losses of over $21 million. However, this functionality did help prevent a larger scale of damage. To enhance the protocol’s response time, the team should implement automated monitoring and alert systems to detect and respond to suspicious activities more swiftly.

This article was originally published by Pukar Acharya for Neptune Mutual.




    Enjoy Reading This Article?

    Here are some more articles you might like to read next:

  • Unlocking the Power of Uniswap V4 Hooks
  • Preprocessing Unstructured Data for LLM Applications
  • Fine-Tuning Large Language Models
  • Guide to LangChain for LLM Development
  • The Art of ChatGPT Prompt Engineering