Slow Mist: The root cause of the pGALA incident is the plaintext private key leaked on GitHub
ChainCatcher news, according to SlowMist intelligence, on November 4th, an address on the BNB Chain minted over $1 billion worth of pGALA tokens out of thin air and sold them for profit through PancakeSwap, causing GALA to briefly drop over 20%. The analysis results from SlowMist are as follows:The pGALA contract uses a Transparent Proxy model, which has three privileged roles: Admin, DEFAULT_ADMIN_ROLE, and MINTER_ROLE.The Admin role is used to manage the upgrade of the proxy contract and change the Admin address of the proxy contract, the DEFAULT_ADMIN_ROLE is used to manage various privileged roles in the logic (e.g., MINTER_ROLE), and the MINTER_ROLE manages the minting permissions of pGALA tokens.In this incident, the Admin role of the pGALA proxy contract was designated as the proxyAdmin contract address at the time of contract deployment, while the DEFAULT_ADMIN_ROLE and MINTER_ROLE were initialized to be controlled by pNetwork. The proxyAdmin contract also has an owner role, which is an EOA address, and the owner can upgrade the pGALA contract through proxyAdmin.However, the SlowMist security team discovered that the private key of the owner address of the proxyAdmin contract was leaked in plain text on GitHub, allowing any user who obtains this private key to control the proxyAdmin contract and upgrade the pGALA contract at any time.The owner address of the proxyAdmin contract was replaced 70 days ago (on August 28, 2022), and another project managed by it, pLOTTO, is suspected to have been attacked.Due to the architectural design of the Transparent Proxy, the change of the Admin role of the pGALA proxy contract can only be initiated by the proxyAdmin contract. Therefore, after the loss of owner privileges of the proxyAdmin contract, the pGALA contract has been at risk of being attacked at any time.In summary, the root cause of the pGALA incident lies in the leakage of the owner private key of the Admin role of the pGALA proxy contract on GitHub, and its owner address was maliciously replaced 70 days ago, resulting in the pGALA contract being at risk of being attacked at any time. (source link)