TLDR
- Loopring, an Ethereum-based ZK-rollup protocol, suffered a security breach related to its ‘Guardian’ two-factor authentication (2FA) service for its smart wallets.
- The hacker compromised Loopring’s 2FA service, allowing them to impersonate wallet owners and initiate unauthorized recoveries on wallets with only the Loopring Official Guardian.
- Approximately $5 million worth of tokens were drained from the affected wallets, according to blockchain data.
- Loopring has temporarily suspended Guardian-related and 2FA-related operations and is collaborating with security experts and law enforcement to investigate the breach.
Loopring, an Ethereum-based ZK-rollup protocol known for its self-proclaimed “most secure wallets,” has fallen victim to a security breach that resulted in the loss of approximately $5 million in user funds.
The incident, which occurred on June 9, 2024, has raised concerns about the safety of smart wallets and the potential vulnerabilities associated with emerging technologies in the decentralized finance (DeFi) space.
According to Loopring’s announcement, the attack targeted the protocol’s ‘Guardian’ two-factor authentication (2FA) service, which allows users to nominate trusted wallets to assist in security operations, such as locking compromised wallets or restoring access if seed phrases are lost.
????Incident Alert: Loopring Smart Wallets Compromised????
A few hours ago, some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process,… pic.twitter.com/Y9mYC4j9QJ
— Loopring???? (@loopringorg) June 9, 2024
The hacker managed to bypass Loopring’s Official Guardian service and initiate unauthorized recoveries on wallets that had only one guardian set up, without the users’ permission.
Blockchain data reveals that the attacker’s wallet was able to drain approximately $5 million worth of tokens from the affected wallets.
Loopring has stated that wallets with multiple guardians or those using a different, third-party guardian were protected from the exploit.
In response to the breach, Loopring has temporarily suspended Guardian-related and 2FA-related operations to prevent further compromises.
The protocol is actively collaborating with blockchain security firm SlowMist and other security experts to determine how its 2FA service was breached. Loopring is working with law enforcement to track down the perpetrator and has requested that anyone with information about the hack share it with the protocol.
The incident has led to increased scrutiny of smart wallet technologies, which have gained traction in the Ethereum community following the introduction of the ERC-4337 account abstraction standard.
While prominent figures like Vitalik Buterin and organizations such as Coinbase have backed this technology, the Loopring breach has prompted some experts to question the readiness of smart wallets for widespread adoption.
Decentralization advocate Chris Blec noted that the incident demonstrates that “smart wallets are not ready for prime-time,” advising users to “stick with properly-secured seed phrases for maximum safety and sovereignty.”
Smart wallets are not ready for prime-time.
Stick with properly-secured seed phrases for maximum safety and sovereignty. https://t.co/mrDj8r3cPO
— Chris Blec (@ChrisBlec) June 9, 2024
Following the news of the breach, Loopring’s native token, LRC, experienced a 4% drop, hitting a four-month low of $0.21.