On June 9th, the Loopring Smart Wallet was hacked, resulting in a $5 million loss due to a vulnerability in the wallet’s Guardian security feature. The project administrators swiftly reported the incident on the social media platform X (formerly known as Twitter). This marks the second hack in June 2024, following a recent attack on the Velocore DEX on zkSync and Linea.
????Incident Alert: Loopring Smart Wallets Compromised????
A few hours ago, some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process,… pic.twitter.com/Y9mYC4j9QJ
— Loopring???? (@loopringorg) June 9, 2024
A recent hack on the Loopring Smart Wallet has caused an estimated loss of $5 million. The breach exploited a flaw in the wallet’s Guardian recovery service. Loopring had previously boasted that their wallet was “the safest Ethereum wallet,” but hackers exploited this confidence to carry out the attack.
The 2FA Guardian service on Loopring Smart Wallet allows users to designate individuals or organizations as Guardians to help with security tasks such as locking or recovering a compromised wallet if the Seed Phrase is lost. Typically, actions like locking or recovering a wallet require the consent of more than half of the Guardians. However, a hacker found a way to bypass Loopring’s security system.
The hacker exploited a vulnerability in wallets with only a single Loopring Official Guardian. They managed to initiate the wallet recovery process without the owner’s permission. The Loopring Official Guardian, provided by Loopring, is automatically added to the wallet when users create it.
Wallets that used multiple Guardians or third-party Guardians were not affected by this vulnerability.
Loopring has disclosed two wallet addresses believed to be involved in the attack, holding more than $5 million worth of ETH from affected wallets. One of these wallets holds assets totaling $5.1 million.
The hack started at 1 a.m. on June 9, the hacker transferred about 190,000 LRC tokens to his wallet.
Loopring also stated that they are working with law enforcement to track down the perpetrators and are asking anyone with additional information about the hack to share it with the project team.
While the project team may not have anticipated this hack, they have acknowledged the risks of the Loopring Official Guardian being compromised and recommend that users set up at least three Guardians.
Meanwhile, the price of Loopring’s LRC token has dropped about 5% since the project announced the attack and is currently trading around $0.22.