Gala

Quick Summary

Gala Games experienced the exploit in a potential private key leakage, which led to 5,000,000,001 $GALA tokens being minted,
estimated at ~$220M at the moment of the hack. The exploiter started to exchange the tokens in batches via 0x Protocol.




Details of the Exploit

Gala Games experienced a security incident on May 20 where a hacker exploited an access control vulnerability in the GALA token
contract, seizing control of an admin address to mint 5 billion GALA tokens worth $216 million. The hacker quickly sold 592
million tokens for $21.8 million in ETH on decentralized exchanges like Uniswap and 0xProject, causing the token's price to drop
by 20%. Gala Games detected the exploit, activated their blocklist function, which had been implemented a year earlier, and froze
the rogue wallet, mitigating further damage. The Ethereum contract for GALA was secure and under the protection of a multi-sig
wallet. The company worked with the FBI, DOJ, and international authorities to identify the hacker, who later returned
approximately $22 million in ETH to a Gala-controlled wallet. The remaining funds were secured, and Gala Games plans to use the
returned ETH to buy back and burn GALA tokens to stabilize the supply. Despite the rapid response, the incident caused significant
market disruption, contrasting with the broader market rally following Ethereum ETF approval news. The exploit highlighted
critical access control failures and suspicious internal activities, with historical incidents suggesting potential internal
sabotage.




Block Data Reference

Attacker:

https://etherscan.io/address/0xe2ca471124b124831e231fb835778840ad100f97

Mint tx:

https://etherscan.io/tx/0xa6d90abe17d17743a9cecab84bcefb0fd0bbfa0c61bba60fd2f680b0a2f077fe

List of sell txs can be found here:

https://etherscan.io/token/0xd1d2eb1b1e90b638588728b4130137d262c87cae?a=0xe2ca471124b124831e231fb835778840ad100f97

Quick Summary

Gala was exploited on the Binance chain. The attacker used a privileged function to mint 55,628,400,000 $GALA  tokens to an EOA
address.




Details of the Exploit

Gala is a metaverse including Gala Games, Gala Music, and Gala Films. The project's token smart contract on the Binance chain was
used to mint large an amount of $GALA tokens. The total worth of the newly minted tokens reached 1,156,000,000 $USD. The attacker
managed to swap the part of tokens for 4,540,655 $USD worth of $BNB. All the stolen funds remain at the initial EOA address at the
moment. Funds on the Ethereum chain and collateral of the bridges were not affected.

The pNetwork team calls for calm, claiming that the incident was just a drain of the liquidity pool to safeguard potential
vulnerabilities. And there was no hack or rug. 




Block Data Reference

Attacker address:

https://bscscan.com/address/0xe8710dad8ff08fbee62e2fe77315caecb59bd20f




Wallet holding the funds:

https://bscscan.com/address/0x6891A233Bca9E72A078bCB71ba02aD482A44e8C1




Malicious transactions:

https://bscscan.com/tx/0x4b239b0a92b8375ca293e0fde9386cbe6bbeb2f04bc23e7c80147308b9515c2e

https://bscscan.com/tx/0x439aa6f526184291a0d3bd3d52fccd459ec3ea0a8c1d5bf001888ef670fe616d