Loopring, which is behind the altcoin LRC, a ZK-rollup protocol built on Ethereum, recently suffered a vulnerability in its Guardian wallet recovery service, which relies on two-factor authentication, the company announced. Blockchain data shows that approximately $5 million in assets were stolen from wallets protected by Loopring’s Guardian service. Here are the details…
Hack shock for the altcoin promoted as the ‘safest’
Loopring, the zkEVM protocol introduced on its website as “Ethereum’s most secure wallet”, announced on Sunday that it had a security vulnerability related to the two-factor authentication service called ‘Guardian’. Through the Guardian service, users could assign wallets to individuals or institutions they trust to assist with security processes. These included processes to lock a compromised wallet or restore the wallet if the password was lost.
However, Loopring explained in its announcement that an attacker had managed to bypass Loopring’s own Official Guardian service to initiate a recovery process on wallets with a single guardian without user permission. Wallets using more than one guardian or a different third-party guardian were protected from this vulnerability, as more than half of the guardians were required to initiate processes, according to Loopring’s website.
Stolen funds went into two wallets
Loopring also shared two wallet addresses thought to be related to the security vulnerability. Blockchain information shows that one wallet transferred approximately $5 million worth of tokens from affected wallets. In its announcement, Loopring included the following statements:
We are actively collaborating with Mist security experts to determine how our 2FA service has been compromised. To protect our users, we have temporarily suspended Guardian-related and 2FA-related processes. After this action, the vulnerability ended.
There is a decrease in price
Loopring also said it was working with law enforcement to track down the attacker and asked anyone with additional information about the hack to share that information with the protocol. While the attack was likely a surprise to the team, Loopring’s risk disclosure statement identifies an attack on the Guardian service as a potential attack vector and recommends users identify at least three patrons.
Loopring’s website states, “Once your Wallet is created, we will add the Loopring Official Guardian service to your Wallet by default. “As a centralized service, Loopring Official Guardian can be attacked and controlled by attackers.” According to market data, following Loopring’s hack announcement, its local token dropped by approximately 5% in the last 24 hours. You can see the decrease in the chart below.
Bitcoin 
Ethereum 
Tether 
BNB 
Solana 
USDC 
XRP 
Lido Staked Ether 
Dogecoin 
Toncoin 
Cardano 
TRON 
Avalanche 
Wrapped Bitcoin 
Shiba Inu 
Chainlink 
Polkadot 
Bitcoin Cash 
NEAR Protocol 
Uniswap 
LEO Token 
Litecoin 
Dai 
Pepe 
Wrapped eETH 
Polygon 
Kaspa 
Internet Computer 
Ethereum Classic 
Aptos 
Artificial Superintelligence Alliance 
Ethena USDe 
Monero 
Stellar 
Stacks 
Mantle 
Render 
Filecoin 
dogwifhat 
Injective 
Hedera 
OKB 
Cronos 
Maker 
Cosmos Hub 
Arbitrum 
Bittensor 
Immutable 
VeChain 
Arweave