Loopring, which is behind the altcoin LRC, a ZK-rollup protocol built on Ethereum, recently suffered a vulnerability in its Guardian wallet recovery service, which relies on two-factor authentication, the company announced. Blockchain data shows that approximately $5 million in assets were stolen from wallets protected by Loopring’s Guardian service. Here are the details…
Hack shock for the altcoin promoted as the ‘safest’
Loopring, the zkEVM protocol introduced on its website as “Ethereum’s most secure wallet”, announced on Sunday that it had a security vulnerability related to the two-factor authentication service called ‘Guardian’. Through the Guardian service, users could assign wallets to individuals or institutions they trust to assist with security processes. These included processes to lock a compromised wallet or restore the wallet if the password was lost.
However, Loopring explained in its announcement that an attacker had managed to bypass Loopring’s own Official Guardian service to initiate a recovery process on wallets with a single guardian without user permission. Wallets using more than one guardian or a different third-party guardian were protected from this vulnerability, as more than half of the guardians were required to initiate processes, according to Loopring’s website.
Stolen funds went into two wallets
Loopring also shared two wallet addresses thought to be related to the security vulnerability. Blockchain information shows that one wallet transferred approximately $5 million worth of tokens from affected wallets. In its announcement, Loopring included the following statements:
We are actively collaborating with Mist security experts to determine how our 2FA service has been compromised. To protect our users, we have temporarily suspended Guardian-related and 2FA-related processes. After this action, the vulnerability ended.
There is a decrease in price
Loopring also said it was working with law enforcement to track down the attacker and asked anyone with additional information about the hack to share that information with the protocol. While the attack was likely a surprise to the team, Loopring’s risk disclosure statement identifies an attack on the Guardian service as a potential attack vector and recommends users identify at least three patrons.
Loopring’s website states, “Once your Wallet is created, we will add the Loopring Official Guardian service to your Wallet by default. “As a centralized service, Loopring Official Guardian can be attacked and controlled by attackers.” According to market data, following Loopring’s hack announcement, its local token dropped by approximately 5% in the last 24 hours. You can see the decrease in the chart below.