You think this is a game?
Well, players on the Vulcan Forged platform, a blockchain game studio that runs a decentralized exchange and NFT marketplace to complement its play-to-earn titles, want to log off.
A hacker exploited the Polygon-based platform to get hold of the private keys to 96 crypto wallets and grab roughly 4.5 million of Vulcan Forged native PYR tokens in the process—9% of the 50 million supply. All told, customers found themselves about $140 million poorer.
Though the company has vowed to make affected users whole with money from its treasury and claimed earlier today that half of the stolen funds have already been repaid, it’s a disappointing consolation. PYR has dropped in value by over 30% in the last 24 hours, from above $32 on Sunday to below $21 as of publication.
According to company CEO Jamie Thomson, the hacker was able to attack the semi-custodial wallets that Vulcan Forged helped manage for its customers. The problem wasn’t with its wallet solution provider, Venly, but a vulnerability with Vulcan Forged.
“What’s happened is someone’s exploited our servers, got the Venly credentials, and used it to extract the private keys of the MyForge users,” Thomson said in a video shared on the company’s social media accounts today. (MyForge is an asset management tool that displays users’ crypto and NFT holdings.) “Going forward, of course, we’re going to be using nothing but decentralized wallets so we never have to encounter this problem again.”
The $140 million is a massive sum for a gaming system with minor traction. According to Etherscan, there are 6,501 wallets—including those on exchanges—holding PYR. By comparison, Axie Infinity Shard tokens sit in 45,073 wallets. Given the high concentration of tokens among relatively few users, the hacker was able to steal an average of $1.46 million per wallet by targeting the community’s whales.
The attack has brought Vulcan Forged market cap from $612 million on Sunday to $397 million today.