After ‘Guardian’ two-factor authentication service is breached, Loopring experiences a $5 million hack

  • The company recently revealed that Loopring, an Ethereum-based ZK-rollup protocol, experienced a hack that compromised its Guardian wallet recovery service, which relies on two-factor authentication.
  • Blockchain evidence indicates that wallets secured by Loopring’s Guardian service had about $5 million taken out of them.

The Ethereum-based zkEVM protocol Loopring LRC -2.92%, which markets its smart wallet software as “Ethereum’s most secure wallet,” disclosed on Sunday that there had been a security compromise involving its ‘Guardian’ two-factor authentication service.

Users can designate wallets of reliable people or organizations through the Guardian service to help with security procedures including freezing a hacked wallet or restoring one in the event that the seed phrase is misplaced. 

But according to Loopring’s release, a hacker was able to go around the company’s Official Guardian service and initiate recoveries on wallets with just one guardian without the users’ consent. 

Wallets that used multiple guardians or a different, third-party guardian were shielded from the vulnerability because, according to Loopring’s website, more than half of the guardians are required to initiate transactions.

Additionally, Loopring disclosed two wallet addresses that the protocol claims were connected to the hack. According to blockchain data, one wallet was able to siphon off tokens valued at roughly $5 million from the wallets that were impacted.

We are working closely with the security professionals at Mist to find out how our 2FA service was hacked. We have temporarily stopped all 2FA and Guardian-related actions in order to protect our users. 

The protocol stated in its announcement on X that the compromise has ended as a result of this move.

In addition, Loopring stated that it is collaborating with law authorities to identify the hacker and asked that anyone with further details about the attack please contact the protocol.

Although the team was probably caught off guard, Loopring’s risk disclosure statement lists a potential attack vector as a compromise to its Guardian service and advises customers to designate at least three guardians. 

The protocol stated that it will automatically add the Loopring Official Guardian service to your wallet after it has been setup. According to Loopring’s website, because Loopring Official Guardian is a centralized service, it is vulnerable to cyber attacks and takeover.

Disclaimer : This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments.

Author: Puskar Pande

Leave a Reply