KEY POINTS
- A security auditor said the exploiter was 'systematically selling' the stolen $GALA tokens
- Gala's CEO admitted that the platform 'messed up' its internal controls
- The web3 gaming platform also said it was working with law enforcement
Popular web3 gaming platform Gala Games has suffered a multimillion-dollar exploit that involved an admin address minting billions worth of the platform's native $GALA token. The company's CEO admitted that the hack shouldn't have happened.
Pseudonymous blockchain security auditor Quit wrote on X (formerly Twitter) Monday that a "compromised or rogue Gala Games admin address minted 5 billion $GALA and has been systematically selling the tokens for the past 2 hours." The said tokens were worth around $200 million, as per Quit.
A compromised or rogue Gala Games admin address minted 5 Billion $GALA ($200M) and has been systematically selling the tokens for the past 2 hours.
— Quit (@0xQuit) May 20, 2024
This is why decentralization is important - I prefer "can't be evil" over "don't be evil", and design with that in mind.
Outlaw… pic.twitter.com/aZkQZ2zYi6
Gala CEO Eric Schiermeyer, who goes by Benefactor on X, acknowledged that 600 million $GALA tokens worth around $21 million were sold illegally and 4.4 billion tokens were effectively burned in the exploit.
Hey Everyone...
— benefactor (@Benefactor0101) May 20, 2024
I always knew there was a reason I never talk shit about other projects getting hacked...I'm sorry to say we had an incident that resulted in the unauthorized SALE of 600million (21million usd) $GALA tokens and the effective BURN of 4.4 billion tokens.
We…
"We messed up our internal controls...This shouldn't have happened and we are taking steps to ensure it doesn't ever again," he wrote. He noted that the Ethereum (ETH) contract for $GALA remains secure and is being protected by a multi-sig wallet. The system breach was identified in 45 minutes, as per Schiermeyer, and the unauthorized access has since been removed.
He further revealed that the web3 gaming company believes the hacker has been identified. Gala Games is working with the FBI, DOJ, and "a network of international authorities" at this point, Schiermeyer added.
The Gala Games X handle also posted that the attack was an "isolated incident," adding that users will be provided with updates as the investigation continues.
The security incident involving the $GALA token has been contained and the impacted wallet has been frozen.
— Gala Games (@GoGalaGames) May 21, 2024
This was an isolated incident, the cause of which has been addressed and we are working closely with law enforcement to investigate the individuals behind the breach.…
Web3 gaming enthusiasts have since rallied behind Gala, with one pointing out that such a "straight to the point" acknowledgment of an exploit is what the community appreciates.
Unambigious and straight to the point.This is how the community likes things.
— WhiskeyJack (@Whiskey6a61636b) May 20, 2024
I knew you would handle it well!
— cagy.ron (@cagyjan1) May 21, 2024
Please pamp bags ser
Eric, usually an inside job! Take a breath, zoom out, take your time and don’t make hasty movements! It will all come to light! Let me know if you need any help? I will volunteer.
— cryptorookie (@crypto1661) May 21, 2024
Awesome Job Team, could have been so much worse 🔥🔥🔥
— CarpeDiem (@Carpediem242424) May 20, 2024
Gala is just one of a growing list of crypto and web3 companies that suffered a security incident this year. However, it is one of the largest known exploits so far in 2024, aligning it with the likes of crypto exchange FixedFloat, which lost some $29 million in two separate system breaches by the same exploiters.
The latest hacking incident in the crypto sector was that of Solana blockchain memecoin Launchpad Pump.fun, which lost nearly $2 million after an alleged insider job that involved flash loan attacks.
The memecoin factory said the exploit was carried out by a former employee who used "their privileged position at the company to misappropriate $12.3K SOL," Solana's native token. Unlike the Gala Games exploit wherein many users seemed to empathize with the web3 gaming platform, several users expressed frustration with Pump.fun, arguing that the coin deployer should determine which security areas it will work on moving forward.
