Fintechs.fi

Fintech & Crypto News

Loopring Suffers $5 Million Hack via Guardian Service Exploit

Loopring Suffers $5 Million Hack via Guardian Service Exploit

Loopring, the Ethereum-based ZK-rollup protocol, faced a major security breach on Sunday, resulting in a $5 million loss. The hacker exploited a vulnerability in Loopring’s Guardian wallet recovery service, compromising the two-factor authentication (2FA) process and enabling unauthorised asset transfers.

How the Hacker Exploited Loopring’s 2FA

The Guardian service allows users to designate trusted wallets for security tasks, such as locking a compromised wallet or restoring one if the seed phrase is lost. The hacker bypassed this service, initiating unauthorised wallet recoveries with a single guardian. By compromising Loopring’s 2FA service, the hacker impersonated the wallet owner, gaining approval for recovery, resetting ownership, and withdrawing assets from the affected wallets. Wallets that lacked multiple or third-party guardians were primarily targeted.

Loopring’s Response

Loopring has identified two wallet addresses involved in the breach, with one wallet draining approximately $5 million from the compromised accounts. On-chain data indicates the stolen assets have been swapped to Ethereum (ETH). In response, Loopring has suspended Guardian-related and 2FA-related operations to protect users.

“Loopring is working with law enforcement and professional security teams to track down the perpetrator. We will continue to provide updates as soon as the investigation progresses,” the company stated. The firm collaborates with Mist security experts to determine how to compromise their 2FA service.

Implications for Loopring’s Security and Trust

The incident raises concerns about the security of Loopring’s wallet services, previously touted as “Ethereum’s most secure wallet.” The Loopring risk disclosure statement identifies the Guardian service as a potential attack vector and recommends users identify at least three guardians. Following the hack, Loopring’s native token fell by about 5%, hitting a four-month low.

This attack occurred shortly after a data breach involving CoinGecko, where nearly 2 million contacts were compromised via a third-party email service provider. While CoinGecko’s incident didn’t involve financial losses, it highlights the broader vulnerability in the crypto ecosystem to security breaches.

Expert Opinions on Smart Wallet Security

The breach has increased scrutiny of smart wallet technologies, which have been gaining traction in the Ethereum community. Prominent figures like Vitalik Buterin and organisations like Coinbase support this technology and are expected to participate in the upcoming Pectra hard fork. However, the Loopring incident has led to calls for caution.

Chris Blec, a decentralisation advocate, stated, “Smart wallets are not ready for prime-time,” advising users to stick with properly secured seed phrases. Similarly, Pratik Kala, Head of Research at DigitalX, commented, “New attack vectors come with new tech. We’ll get over it over time, but be safe and use hardware wallets for significant assets.”

Conclusion

The $5 million hack on Loopring, exploiting its Guardian wallet recovery service, highlights critical security flaws in its 2FA process. Loopring has suspended Guardian and 2FA operations and is investigating the breach. This incident and a recent data breach at CoinGecko underscores the ongoing security challenges in the crypto ecosystem. Experts recommend caution with smart wallet technologies and suggest using more secure options like hardware wallets.