- Loopring, the entity behind the altcoin LRC, recently disclosed a security vulnerability in its Guardian wallet recovery service based on two-factor authentication on Ethereum’s ZK-rollup protocol.
- Approximately $5 million worth of assets were stolen, revealing the exploitation of this security flaw.
- The incident came to light when blockchain data indicated significant unauthorized transfers from wallets protected by Loopring’s Guardian service.
Loopring’s ‘Guardian’ feature, once touted as highly secure, fell victim to a significant hack, leading to substantial losses.
Security Breach in Guardian Wallet Recovery Service
Loopring had marketed its zkEVM protocol as “Ethereum’s most secure wallet,” but a recent breach in their Guardian two-factor authentication service contradicted this notion. This service was designed to let users assign trusted individuals or entities to secure their wallets, performing tasks such as locking compromised wallets or recovering wallets when recovery phrases were lost.
Hackers Bypass Two-Factor Authentication
In a recent announcement, Loopring disclosed that an attacker managed to exploit a vulnerability, enabling them to initiate a recovery process without user consent on wallets guarded by a single protector. Wallets utilizing multiple guardians or an external third-party guardian were not affected by this breach, according to the company’s guidelines which state that a majority of guardians are required for initiating such actions.
Stolen Funds and Immediate Actions Taken
The breach led to approximately $5 million in token transfers, all traceable to two specific wallet addresses. In response, Loopring suspended all Guardian-related transactions and two-factor authentication processes, collaborating with blockchain security experts at Mist to investigate and resolve the issue. They assured users that immediate actions had mitigated the vulnerability.
“We are actively working with Mist security experts to understand how our 2FA service was compromised. In the meantime, we have temporarily halted Guardian and 2FA-related transactions to ensure user protection,” Loopring stated.
Market Reaction and Further Investigations
Following the security incident, Loopring announced its cooperation with law enforcement and urged anyone with additional information on the hack to come forward. Although the breach seemed to catch the team by surprise, their risk disclosure has long acknowledged potential vulnerabilities in the Guardian service, advising users to set at least three guardians for enhanced security.
Loopring’s website also warns, “As a centralized service, the Loopring Official Guardian could be targeted and compromised by attackers.” Post-announcement, the market responded with a nearly 5% drop in Loopring’s native token value within 24 hours, reflecting shaken investor confidence.
Conclusion
The hack on Loopring’s Guardian service underscores the persistent security challenges in the cryptocurrency space, regardless of perceived robustness. The company’s swift response in suspending vulnerable services and engaging security experts highlights the seriousness of the incident. As market participants await further updates, this event serves as a critical reminder of the importance of multi-layered security protocols in digital asset management.
