On November 7, 2022, through a new post by blockchain security firm SlowMist, it was revealed the previous week’s token exploit which had an effect on GameFi project Gala Games happened due to a public leak of applicable security keys on GitHub, as reported by Cointelegraph.
“The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the MINTER_ROLE role manages the pGALA token minting authority.”
According to Cointelegraph, SlowMist provided the further explanation that both the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were subjected to control by pNetwork during initialisation. Meanwhile, the proxy admin contract was an externally owned address required for the upgradation of the pGALA contract. However, the firm shared a screenshot alleging that the plaintext private key for the proxy admin owner address was exposed and publicly viewable on GitHub. It is believed that any user having access to the private key could have manipulated the pGALA contract whenever required. On August 28, 2022, replacement of the proxy admin contract owner happened, which made the protocol vulnerable to an attack.
Moreover, Cointelegraph noted that on November 3, 2022, the Gala Games token bridge exploitation happened post a single wallet address appeared to have minted more than two billion dollars in GALA tokens, and then dumped the tokens on decentralised exchange PancakeSwap. Reportedly, approximately 12,977 BNB, worth $4.5 million, was drained from the liquidity pool. Cryptocurrency exchange Huobi made the allegations that the stated activities were a profit-based scheme created by pNetwork.
(With insights from Cointelegraph)