TL;DR#

On May 21, 2024, Gala Games was exploited on the Ethereum Mainnet, which resulted in the excess minting of 5 billion GALA tokens, which were worth approximately $219 million.

Introduction to Gala Games#

Gala Games is a web-based gaming platform that also extends its arm to the music and film industries.

Vulnerability Assessment#

The root cause of the exploit remains unknown or uncertain. Was it a private key compromise, a case of private key misuse by an insider, or perhaps even team involvement given the shady nature of some DeFi projects? This is all unclear. 

Incident Analysis#

We attempt to analyze the attack transaction executed by the exploiter.

The minting of this massive number of tokens can be directly correlated with the compromise of the private keys of the deployer or the administrator wallet.

The attacker then took to 0xProject to dump these tokens in chunks of 50 and 100 ETH.

The exploiter was able to swap 599 million GALA tokens for roughly 5,913.20 ETH, which are worth approximately $21.8 million. At the time of this writing, the wallet of the exploiter has a holding of approximately $206,737,478 worth of assets.

The affected Gala contract has a `notBlocklisted` modifier, allowing the deployer to have privilege access to restrict an address for interacting with the protocol. 

modifier notBlocklisted(address _account) {
  require(!blocklisted[_account], "Account is blocklisted");
  _;
}

Two hours and 16 minutes after the exploit, as viewed in this transaction, the deployer has now added the address of the exploiter to the blocklist, effectively reducing the extent of the damage caused by the attack. Therefore, the actual loss of assets suffered by the protocol stands at $21.8 million. The excess of 4,401,236,462 GALA tokens will be burned by the team.

Aftermath#

The team acknowledged the occurrence of the exploit and stated that the incident has been contained and the impacted wallet has been frozen. The exploit was an isolated incident, the cause of which has already been addressed, and the team is not closely working with law enforcement agencies to investigate the individuals behind the breach.

Eric Schiermeyer, the CEO of Gala Games, took to X (formerly Twitter) to highlight the details surrounding the incident. According to him, the Gala contract on the Ethereum Mainnet is guarded by a multisignature wallet, which was never compromised. This incident was the result of a loosely coupled internal control within the team.

Solution#

In response to the Gala Games exploit, it is imperative to address the underlying vulnerabilities and implement robust security measures to prevent future incidents. The exploit highlights the critical importance of safeguarding private keys, as their compromise can result in severe financial losses. Implementing secure storage solutions is paramount, with hardware wallets being a recommended option for cold storage. These wallets keep the majority of assets offline, reducing exposure to online threats. For operational liquidity, a minimal amount of assets should be kept in hot wallets, protected by stringent security protocols.

Multi-signature wallets provide an additional layer of security by requiring multiple parties to authorize transactions. This significantly mitigates the risk of unauthorized access due to compromised keys. Regular security audits and vulnerability assessments are essential to identify potential security gaps and ensure that private key management protocols remain secure and up-to-date.

The Gala Games team must also focus on continuous education and vigilance against phishing, social engineering, and malware threats. Regular security training for team members on the latest threats and secure communication practices can substantially reduce the risk of such attacks. Keeping software, including wallets and security tools, updated is crucial for defending against known vulnerabilities.

Despite the existence of blacklist functionality in the Gala Games protocol, the team took over two hours to restrict the attacker’s access, by which time significant damage had already been done, resulting in losses of over $21 million. However, this functionality did help prevent a larger scale of damage. To enhance the protocol's response time, the team should implement automated monitoring and alert systems to detect and respond to suspicious activities more swiftly.

Even with stringent security protocols, the risk of vulnerabilities being exploited remains. In such cases, partnering with Neptune Mutual can be invaluable. Establishing a dedicated cover pool with Neptune Mutual can significantly mitigate the negative impacts of incidents like the Gala Games exploit. Neptune Mutual specializes in providing coverage for losses due to smart contract vulnerabilities and employs parametric policies tailored to these unique risks. While losses from private key compromises typically fall outside our coverage scope, exceptions may be considered under extraordinary circumstances.

Working with Neptune Mutual streamlines the recovery process by reducing the need for extensive proof-of-loss documentation. After an incident is verified and resolved through our comprehensive incident resolution protocol, our focus shifts to swiftly providing compensation and financial support to those affected. This ensures prompt assistance for users impacted by security breaches.

Our coverage through our marketplace spans several key blockchain networks, including Ethereum, Arbitrum, and the BNB chain, offering extensive support to a variety of DeFi users. This broad coverage enhances our capacity to protect against a range of vulnerabilities, thereby strengthening the overall security of our diverse client base.

Reference Source PeckShield