Gala Games, a prominent blockchain gaming platform, experienced a significant security breach that resulted in the unauthorized sale of 600 million GALA tokens, valued at $23 million. CEO Eric Schiermeyer confirmed that the incident was attributed to inadequate internal controls.
The exploit occurred on May 20 at 7:32 pm UTC when a hacker accessed a Gala Games admin address. This access enabled the attacker to mint 5 billion new GALA tokens worth approximately $200 million. The attacker then sold 600 million of these newly minted tokens on the decentralized exchange Uniswap.
Notably, this breach is not Gala Games’ first encounter with security issues. In 2021, the company lost $130 million in a similar exploit.
“Messed Up Internal Controls” Leads to Gala Games Breach
.@poweredbygala hacked?
seems like someone minted 5B tokens ~1 hour ago, valued at ~$220M
has been dumping in batches of 100 ETH on @0xProject, address is currently sitting on ~4.6K ETHhttps://t.co/08D4qAd0lk pic.twitter.com/A63jxhESlW
— devops199fan 🔪📜😅 ⌐◨-◨ (@devops199fan) May 20, 2024
Blockchain analyst @devops199fan first reported the incident, noting the sudden minting of a large volume of GALA tokens. Following the notification, Gala Games quickly mitigated further damage.
In response to the breach, Gala Games froze the compromised wallet, preventing the hacker from selling the remaining tokens. Gala Games identified and removed the unauthorized access to the GALA contract, assuring stakeholders that its Ethereum contract remains secure and uncompromised.
Hey Everyone…
I always knew there was a reason I never talk shit about other projects getting hacked…I’m sorry to say we had an incident that resulted in the unauthorized SALE of 600million (21million usd) $GALA tokens and the effective BURN of 4.4 billion tokens.
We…
— benefactor (@Benefactor0101) May 20, 2024
Furthermore, CEO Schiermeyer announced via X that the remaining 4.4 billion tokens were effectively rendered unsellable and burned to prevent additional exploitation. Also, the company is working closely with the FBI, the U.S. Justice Department, and international authorities to investigate the incident and apprehend those responsible.
“We had an incident that resulted in the unauthorized sale of 600 million GALA tokens and the effective burn of 4.4 billion tokens. We messed up our internal controls. This shouldn’t have happened, and we are taking steps to ensure it doesn’t happen again,” Schiermeyer stated.
The immediate aftermath saw GALA’s price plummet to a 24-hour low of $0.038, a 20% drop from its daily high. However, according to CoinGecko, the token price has since partially recovered to $0.041.
In addition to the recent breach, the ongoing internal legal battles between Schiermeyer and co-founder Wright Thurston, who have filed lawsuits against each other over mismanagement and theft allegations, add to the company’s turmoil.
However, Gala Games has assured its users and investors that it is implementing more robust internal controls to prevent future incidents and is committed to maintaining a secure and robust platform for blockchain gaming.
The Rise Of Crypto Exploits: Recent Incidents
Sonne Finance, a lending protocol, recently suffered a $20 million exploit on May 14, impacting cryptocurrencies, including WETH and USDC. Sonne Finance paused all markets on Optimism and began investigating with Cyvers. Despite efforts to recover funds and offer a bug bounty, the hacker has already moved a significant portion of the stolen assets to a new wallet, suggesting an intent to launder them through a privacy protocol like Tornado Cash.
Rain cryptocurrency exchange also experienced a potential exploit on April 29, transferring approximately $14.1 million worth of various cryptocurrencies to a suspicious wallet, as reported by on-chain analyst ZachXBT. The exploit involved significant outflows from Rain’s Bitcoin, Ethereum, Solana, and XRP wallets. The stolen funds were quickly exchanged for Bitcoin and Ethereum and moved to specific addresses on these networks. Notably, the Ethereum address currently holds about 1,881 ETH, valued at $5.5 million, while the Bitcoin address holds 137.9 BTC, valued at $8.6 million.
Arkham Intelligence data shows that the funds were traced back through various Bitgo multi-signature wallets, though they have not been explicitly linked to Rain. Despite this, over 590 ETH, 20 billion Shiba Inu, 12,500 Chainlink, $240,000 in Tether, and $500,000 in USD Coin were swapped for ETH on Uniswap, with additional funds from a Binance hot wallet.
Pike Finance, a DeFi lending protocol, also suffered a $1.6 million exploit due to a smart contract vulnerability. Over three days, funds were stolen across the Ethereum, Arbitrum, and Optimism chains.