DEFI

Loopring hit by $5 million hacker attack, Guardian two-factor authentication service compromised

share
Loopring hit by $5 million hacker attack, Guardian two-factor authentication service compromised

The zkEVM protocol Loopring on Ethereum announces that its "Guardian" dual identity verification service has been compromised, resulting in the theft of tokens worth $5 million. Loopring has advised affected users to contact the protocol foundation mailbox.

What Vulnerability Occurred in Loopring?

Loopring encountered a security vulnerability in its Guardian service.

This service allows users to designate trusted wallets to assist in secure operations, such as locking compromised wallets or recovering wallets in case of lost mnemonic phrases. Unfortunately, a hacker successfully bypassed Loopring's official Guardian service and initiated an unauthorized reset operation on a wallet with only one trusted Guardian wallet.

The hacker exploited a loophole in the Guardian service, allowing them to reset the wallet without user permission. According to Loopring, it requires approval from over half of the Guardians to authorize transactions, so wallets using multiple Guardians or third-party Guardians were not affected by this vulnerability.

Some Wallets Affected, Loss of Five Million Dollars

Loopring disclosed two wallet addresses involved in the vulnerability, with data showing that one of the wallets lost approximately $5 million in tokens.

Loopring's Response

Loopring is actively collaborating with security experts to understand how the two-factor authentication service was compromised. To protect users, Loopring has temporarily halted all operations related to Guardian and two-factor authentication. Loopring stated in their announcement on X that "the vulnerability has been stopped following this action."

The protocol is working with law enforcement to track the hacker. They also urge any additional information providers regarding this attack to come forward. This collaborative effort aims to minimize damages and prevent future attacks.

Preventive Measures

Loopring's risk disclosure statement had already indicated that the Guardian service could be susceptible to such breaches.

The protocol recommends users to designate at least three Guardians to enhance security: "After creating a wallet, we will add the Loopring official Guardian service to your wallet by default. As a centralized service, Loopring's official Guardian may be vulnerable to hacker attacks and control."