News

Gala Games Attacker Returns Ethereum After $240 Million Token Exploit

Crypto Gaming Firm Gala Launches GalaSwap Exchange With Token Rewards

We do the research, you get the alpha!

Get exclusive reports and access to key insights on airdrops, NFTs, and more! Subscribe now to Alpha Reports and up your game!

Go to Alpha Reports

The as-yet-identified attacker behind Monday’s $240 million Gala Games token exploit has returned the Ethereum (ETH) gained from selling some of the tokens, as Gala reckons with the fallout from the attack and how to address lingering questions.

Approximately 5,913 ETH, or about $22 million, was sent back from the attacker’s wallet to a Gala wallet on Tuesday morning, representing the funds earned from selling 600 million GALA tokens on decentralized exchange Uniswap shortly after Monday’s exploit.

In Gala’s Discord server Tuesday, CEO Eric “Benefactor” Schiermeyer said that the firm will “probably buy and burn” GALA tokens using the recovered ETH—a move that could potentially drive up the price of the token following Monday’s dip.

On Monday, Schiermeyer wrote in a Discord announcement that the crypto gaming startup believed it knew who was behind the attack, and said it was working with authorities to bring the attacker to justice. The person in question has yet to be publicly identified, and Gala Games would not comment further beyond published statements.

Gala published a blog post recounting the attack and the firm’s countermeasures on Tuesday. A wallet with administrative access to the GALA token minting contract minted 5 billion GALA tokens on Monday, or about $240 million worth at the time of the exploit, and then proceeded to start selling them on the open market.

After about 45 minutes, Gala was able to block the wallet from making any further sales thanks to a function built into its v2 contract upgrade from last fall. The attacker was able to sell 600 million GALA tokens before that happened, and the price of GALA plunged by 20% during that span as the market contended with the flood of tokens.

“We want to assure our community that the minting capabilities of $GALA on GalaChain remain secure and uncompromised,” the post reads. “Our internal controls and multisig security protocols are designed to protect against such incidents, and we are continuously enhancing them to stay ahead of potential threats.”

📢 Important Update

We recently detected and addressed a security incident involving $GALA tokens.

Thanks to our network’s robust security, the situation was quickly under control. Your GalaChain assets and $GALA Ethereum contract are secure.https://t.co/O3himruM4E

— Gala Games (@GoGalaGames) May 21, 2024

However, while the firm claimed that the contract is secure, Schiermeyer previously wrote on Monday that Gala had “messed up” in regards to access to such functions.

“We messed up our internal controls… this shouldn’t have happened and we are taking steps to ensure it doesn’t ever again,” he wrote Monday.

What about the other 4.4 billion GALA tokens? That’s nearly 9% of the total supply of 50 billion GALA tokens, and they currently sit frozen inside of the attacker’s wallet. On Monday, Schiermeyer wrote that they would be considered “effectively burned,” as they’re inaccessible and can’t be spent.

In other words, the Gala ecosystem would consider them removed from circulation. But now, it appears that Schiermeyer’s classification was premature, and the community of Gala network node operators will have the opportunity to vote on the question.

“A new Founder’s Node ecosystem governance vote will soon decide if the blocklisted GALA will be considered burned as it relates to GALA’s dynamic supply distribution model as described in the Gala Ecosystem Blueprint,” the post reads.

Edited by Ryan Ozawa.

GG Newsletter

Get the latest web3 gaming news, hear directly from gaming studios and influencers covering the space, and receive power-ups from our partners.





Source: https://decrypt.co/231698/gala-games-attacker-returns-ethereum-240-million-exploit

Leave a Reply

Your email address will not be published. Required fields are marked *