Технологија

Искоришћавање ГАЛА токена је резултат јавног цурења приватног кључа на ГитХуб-у

11/07/2022
Битцоин Етхереум Невс

According to a new post by blockchain security firm SlowMist on Nov. 7, it се појављује that the last week’s token exploit affecting GameFi project Gala Games је резултат јавног цурења применљивих безбедносних кључева на ГитХуб-у. Како је рекао СловМист, пНетворк, мост интероперабилности унакрсних ланаца који користи Гала Гамес на БНБ Смарт Цхаин-у, имао је три привилеговане улоге у свом паметном уговору пГАЛА.

“The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the MINTER_ROLE role manages the pGALA token minting authority.”

SlowMist went on to explain that both the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were controlled by pNetwork during initialization. Meanwhile, the proxy admin contract was an externally owned address responsible for upgrading the pGALA contract. However, the firm posted a screenshot alleging that the plaintext private key for the proxy admin owner address was exposed and publicly viewable on GitHub. Thus, any user with access to the private key could have manipulated the pGALA contract at any time. On Aug. 28, the proxy admin contract owner was replaced, making the protocol vulnerable to an attack.

The Gala Games token bridge was exploited on Nov. 3 after a single wallet address appeared to have minted over $2 billion in GALA (GALA) tokens out of thin air and dumped the tokens on decentralized exchange PancakeSwap. Around 12,977 BNB (БНБ), worth $4.5 million, was drained from the liquidity pool.

Cryptocurrency exchange Huobi alleged the aforementioned activities were a scheme for profit orchestrated by pNetwork. The latter has одбијен such allegations, while also наводећи in its post-mortem analysis that “No funds loss happened on the GALA cross-chain bridge. All GALA tokens on Ethereum are safe."