Loopring Suffers $5 Million Hack via Guardian Service Exploit
Loopring, the Ethereum-based ZK-rollup protocol, faced a major security breach on Sunday, resulting in a $5 million loss. The hacker exploited a vulnerability in Loopring’s Guardian wallet recovery service, compromising the two-factor authentication (2FA) process and enabling unauthorised asset transfers.
A few hours ago, some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process,… pic.twitter.com/Y9mYC4j9QJ
The Guardian service allows users to designate trusted wallets for security tasks, such as locking a compromised wallet or restoring one if the seed phrase is lost. The hacker bypassed this service, initiating unauthorised wallet recoveries with a single guardian. By compromising Loopring’s 2FA service, the hacker impersonated the wallet owner, gaining approval for recovery, resetting ownership, and withdrawing assets from the affected wallets. Wallets that lacked multiple or third-party guardians were primarily targeted.
Loopring’s Response
Loopring has identified two wallet addresses involved in the breach, with one wallet draining approximately $5 million from the compromised accounts. On-chain data indicates the stolen assets have been swapped to Ethereum (ETH). In response, Loopring has suspended Guardian-related and 2FA-related operations to protect users.
If you've experienced asset loss during the Loopring Smart Wallet compromise event – please contact us at foundation at loopring dot org
We are actively collaborating with security experts, centralized exchanges (CEX), and law enforcement to recover the lost funds. Any progress… https://t.co/Wz8dfA9sjQ
“Loopring is working with law enforcement and professional security teams to track down the perpetrator. We will continue to provide updates as soon as the investigation progresses,” the company stated. The firm collaborates with Mist security experts to determine how to compromise their 2FA service.
Implications for Loopring’s Security and Trust
The incident raises concerns about the security of Loopring’s wallet services, previously touted as “Ethereum’s most secure wallet.” The Loopring risk disclosure statement identifies the Guardian service as a potential attack vector and recommends users identify at least three guardians. Following the hack, Loopring’s native token fell by about 5%, hitting a four-month low.
This attack occurred shortly after a data breach involving CoinGecko, where nearly 2 million contacts were compromised via a third-party email service provider. While CoinGecko’s incident didn’t involve financial losses, it highlights the broader vulnerability in the crypto ecosystem to security breaches.
Expert Opinions on Smart Wallet Security
The breach has increased scrutiny of smart wallet technologies, which have been gaining traction in the Ethereum community. Prominent figures like Vitalik Buterin and organisations like Coinbase support this technology and are expected to participate in the upcoming Pectra hard fork. However, the Loopring incident has led to calls for caution.
Smart wallets are not ready for prime-time.
Stick with properly-secured seed phrases for maximum safety and sovereignty. https://t.co/mrDj8r3cPO
Chris Blec, a decentralisation advocate, stated, “Smart wallets are not ready for prime-time,” advising users to stick with properly secured seed phrases. Similarly, Pratik Kala, Head of Research at DigitalX, commented, “New attack vectors come with new tech. We’ll get over it over time, but be safe and use hardware wallets for significant assets.”
Conclusion
The $5 million hack on Loopring, exploiting its Guardian wallet recovery service, highlights critical security flaws in its 2FA process. Loopring has suspended Guardian and 2FA operations and is investigating the breach. This incident and a recent data breach at CoinGecko underscores the ongoing security challenges in the crypto ecosystem. Experts recommend caution with smart wallet technologies and suggest using more secure options like hardware wallets.
