The “Most Secure” Smart Wallet on Loopring Had a $5 million hack

  • The 2FA service provided by Loopring was compromised by the attacker.

On Sunday, the Ethereum Layer 2 network Loopring announced a security compromise that cost $5 million in tokens.

Hackers targeted the Loopring Official Guardian in particular, taking advantage of Smart Wallets that depended on a single Guardian.

Loopring stated that the hacker was able to assume the identity of the wallet owner and obtain approval for the Recovery from the Official Guardian by breaching Loopring’s 2FA service.

The attacker then moved money out of the compromised wallets.

The most secure Ethereum wallet, according to Loopring, is its Smart Wallet, which integrates with Layer 2 solutions and offers social recovery and multi-signature protection.

By designating trusted wallets, users can use the Guardian service to perform security activities like freezing hacked wallets or regaining access in the event that the seed phrase is misplaced.

Bypassing the official Guardian service in this incident, the hacker was able to assume the identity of wallet owners and start recovery procedures.

The business announced that, in reaction to the incident, it has temporarily halted all 2FA and Guardian-related activities in order to stop additional breaches.

Two wallet addresses that Loopring says were utilized in the assault have also been made public. According to blockchain statistics, one of these wallets lost about 1,373 ETH, or $5 million.

The announcement caused Loopring’s native token, LRC, to fall by 2%.

Increase in the Use of Smart Wallets

Since ERC-4337 enabled account abstraction on the Ethereum mainnet, smart wallets have become more and more popular. With the update, users can tailor their wallets to meet specific requirements, such as social recovery, multi-signature wallets, and automated transactions.

ERC-4337, which was unveiled by Vitalik Buterin in September 2021, has expanded the possibilities of Smart Wallets. Recovery terms are eliminated by characteristics like “social recovery,” which Buterin championed.

Some businesses had previously invented their own smart wallet features prior to ERC-4337. For example, in 2020 Loopring and Argent created their own Smart Wallets. Coinbase debuted its Smart Wallet more recently.

Although smart wallets offer enhanced features and an improved user experience (UX), they also introduce new threats and attack points that are not present in externally owned accounts (EOA) wallets.

Back in April, when EIP-3074 was given the go-ahead to be incorporated into Pectra, the upcoming major Ethereum upgrade, a number of influential Ethereum community members cautioned that these features would increase wallets’ susceptibility to fraudulent activity.

Itamar Lesuisse, co-founder of Argent, a Starknet wallet provider, forewarned that with just one off-chain signature, a scammer should be able to empty your whole wallet. This will probably be a significant use case.

Disclaimer : This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments.

Author: Puskar Pande

Leave a Reply