Loopring Official Guardian 2FA Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Loopring provides wallet software, which has a default setting of only a single official guardian. While the software provided daily notices requesting users to set up additional guardians, and multiple sources online including a post from Vitalik Buterin provided additional guidance on doing so, many users chose not to and remained with the default security setup. On June 8th, a malicious actor found a way to bypass the two-factor authentication which Loopring provided through their official guardian. This allowed them to access many wallets of Loopring users, which they subsequently drained. Loopring has postponed an upgrade to their smart contract and is reportedly working with law enforcement, centralized exchanges, and different security experts to recover lost funds.[1][2][3][4][5][6][7][8][9][10][11]
About Loopring
"Loopring is a software running on Ethereum that aims to incentivize a global network of users to operate a platform that enables the creation of new types of crypto asset exchanges."
High transaction fees are "exactly what Loopring aims to remedy, by delivering a digital economy that empowers its users while still giving them complete control over their assets. With Loopring, people no longer have to sacrifice efficiency and affordability to take advantage of Ethereum’s network security."
"Loopring (LRC) is an Ethereum Layer-2 scaling protocol that enables the building of decentralized exchanges which rival centralized exchanges in terms of performance. The network can handle up to 1,000 times more trades per second than Ethereum with each one costing a mere fraction of a cent."
"Loopring's zkRollup L2 solution offers the same security guarantees as Ethereum mainnet, with a big scalability boost: throughput increased by 1000x, and cost reduced to just 0.1% of L1. Ethereum is now unleashed. One year ago, we launched the first zkRollup on Ethereum - now we put its power in your pocket. Smooth orderbook trading, AMMs, and global payments, right from the Loopring wallet."
"Most notably, Loopring claims its platform will allow exchanges built on top of it to sidestep the slow speeds and high costs associated with decentralized exchanges on Ethereum through the use of a newer type of cryptography called zero-knowledge rollups, or zkRollups."
The Reality
"This is exactly why the app asks you to setup multiple guardians and even notifies you to do so if you haven't every time you log in, that's alot of people who ignored the warnings daily and this unfortunate event happened."
What Happened
"Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with" the Loopring Official Guardian as their only guardian.
| Date | Event | Description |
|---|---|---|
| June 8th, 2024 11:41:23 AM MDT | First Malicious Withdrawal | This transaction represents the most likely earliest malicious withdrawal on one of the reported theft wallets. |
| June 9th, 2024 7:13:00 AM MDT | Loopring Twitter Announcement | Loopring announces the events on Twitter. According to their announcement, they have "temporarily suspended Guardian-related and 2FA-related operations". |
| June 10th, 2024 6:21:00 AM MDT | Contact Address Provided | Loopring provides a contact address, and notes that they are actively working with centralized exchanges, security experts, and law enforcement on fund recovery. |
| June 12th, 2024 5:05:00 AM MDT | Launch Postponed | Loopring announces that their smart contract upgrade is being postponed due to the breach. They will announce the date in the future. |
| June 13th, 2024 8:59:00 AM MDT | Loopring Guardian Guide | Loopring publishes a tweet referencing a post by Vitalik on proper guardian setup for Loopring wallets. This recommends at least 3 guardians and that they shouldn't know each other. |
Technical Details
SlowMist estimates $5m.
Total Amount Lost
The total amount lost has been estimated at $5,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Ethereum Layer 2 protocol Loopring posted on Twitter that the some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process, falsely posing as the wallet owner to reset ownership and withdraw assets. The attack succeeded by compromising Loopring's 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian. Subsequently, the attacker transferred assets out of the affected wallets."
"A few hours ago, some Loopring Smart Wallets were targeted in a security breach. The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process, falsely posing as the wallet owner to reset ownership and withdraw assets.
The attack succeeded by compromising Loopring's 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian. Subsequently, the attacker transferred assets out of the affected wallets.
We are actively collaborating with Mist security experts to determine how our 2FA service was compromised. To protect our users, we have temporarily suspended Guardian-related and 2FA-related operations. Following this action, the compromise has ceased.
Loopring is working with law enforcement and professional security teams to track down the perpetrator. We will continue to provide updates as soon as the investigation progresses."
Ultimate Outcome
"Due to a recent security breach involving Loopring's two-factor authentication (2FA) service, the pre-scheduled smart contract auto-upgrade on the Ethereum mainnet, originally set for June 12th, has been postponed. We will proceed with the upgrade at a later date and will announce this date ahead of time."
"If you've experienced asset loss during the Loopring Smart Wallet compromise event - please contact us at foundation at loopring dot org
We are actively collaborating with security experts, centralized exchanges (CEX), and law enforcement to recover the lost funds. Any progress will be communicated through our official channels immediately.
Also - be aware and watch out for impersonators and scammers in the replies who are trying to capitalize off this event."
Total Amount Recovered
"If you've experienced asset loss during the Loopring Smart Wallet compromise event - please contact us at foundation at loopring dot org
We are actively collaborating with security experts, centralized exchanges (CEX), and law enforcement to recover the lost funds. Any progress will be communicated through our official channels immediately."
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jun 18, 2024)
- ↑ @loopringorg Twitter (Accessed Jun 19, 2024)
- ↑ Address 0x44f887cfbd667cb2042dd55ab1d8951c94bb0102 | Etherscan (Accessed Jun 19, 2024)
- ↑ Token Transfer | Etherscan (Accessed Jun 19, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jun 19, 2024)
- ↑ Address 0xbacef3a142e39f14f4f15e22e9248ee4141af18f | Etherscan (Accessed Jun 19, 2024)
- ↑ Ethereum Transactions Information | Etherscan (Accessed Jun 19, 2024)
- ↑ @loopringorg Twitter (Accessed Jun 19, 2024)
- ↑ https://old.reddit.com/r/ethereum/comments/11tijiv/how_i_think_about_choosing_guardians_for_multisig/ (Accessed Jun 19, 2024)
- ↑ @loopringorg Twitter (Accessed Jun 19, 2024)
- ↑ @loopringorg Twitter (Accessed Jun 19, 2024)