📣 Loopring Hit by $5 Million Hack Through 2FA Breach
posted 10 Jun 2024
The ZK protocol based on Ethereum, Loopring, has suffered a hacker attack. The attacker stole $5 million from compromised wallets, withdrawing the funds in Ethereum.
Unlike non-custodial crypto wallets, where owners are responsible for their funds' security, Loopring allows the creation of wallets with multiple guardians. This setup permits access recovery if the primary private key is lost. Guardians can include the user’s wallet, friends' wallets, or even a trusted firm (including Loopring itself). Thus, access recovery requires the consent of the majority of guardians rather than a seed phrase.
The hacker breached Loopring’s two-factor authentication (2FA) system, allowing them to impersonate the wallet owners. The fraudster then used the access recovery feature to withdraw funds. The affected wallets had a single guardian: Loopring Official Guardian. By deceiving project employees through the compromised 2FA, the hacker secured their consent to access the wallets.
The Loopring team is currently collaborating with analysts from SlowMist to trace the hacker and recover the stolen funds.