According to a new post by blockchain security firm SlowMist on Nov. 7, it appears that the last week’s token exploit affecting GameFi project Gala Games resulted from a public leak of applicable security keys on GitHub. As told by SlowMist, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB Smart Chain, had three privileged roles in its smart contract pGALA. “The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the MINTER_ROLE role manages the pGALA token minting authority.” SlowMist went on to explain that both the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were controlled by pNetwork during initialization. Meanwhile, the proxy admin contract was an externally owned address responsible for upgrading the pGALA contract. However, the firm posted a screenshot alleging that the plaintext private key for the proxy admin owner address was exposed and publicly viewable on GitHub. Thus, any user with access to the private key could have manipulated the pGALA contract at any time. On Aug. 28, the proxy admin contract owner was replaced, making the protocol vulnerable to an attack.
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.