Loopring, the Ethereum-based ZK-rollup protocol, experienced a significant wallet hack on Sunday, 09.06.2024, resulting in losses reaching millions of dollars. The incident targeted Loopring’s Guardian wallet recovery service by exploiting a vulnerability in the two-factor authentication (2FA) process.
Details of the Wallet Hack
The Guardian service allows users to designate trusted wallets for security tasks, such as locking a compromised wallet or restoring one if the seed phrase is lost. The hacker bypassed this service, initiating unauthorized wallet recoveries with a single guardian. By compromising Loopring’s 2FA service, the hacker impersonated the wallet owner, gaining approval for the recovery process, resetting ownership, and withdrawing assets from affected wallets. The exploit mainly affected wallets lacking multiple or third-party guardians.
Impact and Response
Blockchain data indicates that approximately $5 million was drained from compromised wallets, with the stolen funds swapped to Ethereum (ETH). Loopring identified two wallet addresses involved in the breach.
In response, Loopring has temporarily suspended Guardian-related and 2FA-related operations to protect users, halting further compromise. The protocol is actively collaborating with Mist security experts to determine how the 2FA service was compromised. Additionally, Loopring is working with law enforcement and professional security teams to track down the perpetrator and is committed to providing updates as the investigation progresses.
Security Recommendations
Loopring advises users to use multiple guardians or third-party guardians to protect their wallets. The protocol’s risk disclosure statement identifies a compromise to its Guardian service as a potential attack vector and recommends users have at least three guardians.