PGALA

Slow Mist: The root cause of the pGALA incident is the plaintext private key leaked on GitHub

ChainCatcher news, according to SlowMist intelligence, on November 4th, an address on the BNB Chain minted over $1 billion worth of pGALA tokens out of thin air and sold them for profit through PancakeSwap, causing GALA to briefly drop over 20%. The analysis results from SlowMist are as follows:The pGALA contract uses a Transparent Proxy model, which has three privileged roles: Admin, DEFAULT_ADMIN_ROLE, and MINTER_ROLE.The Admin role is used to manage the upgrade of the proxy contract and change the Admin address of the proxy contract, the DEFAULT_ADMIN_ROLE is used to manage various privileged roles in the logic (e.g., MINTER_ROLE), and the MINTER_ROLE manages the minting permissions of pGALA tokens.In this incident, the Admin role of the pGALA proxy contract was designated as the proxyAdmin contract address at the time of contract deployment, while the DEFAULT_ADMIN_ROLE and MINTER_ROLE were initialized to be controlled by pNetwork. The proxyAdmin contract also has an owner role, which is an EOA address, and the owner can upgrade the pGALA contract through proxyAdmin.However, the SlowMist security team discovered that the private key of the owner address of the proxyAdmin contract was leaked in plain text on GitHub, allowing any user who obtains this private key to control the proxyAdmin contract and upgrade the pGALA contract at any time.The owner address of the proxyAdmin contract was replaced 70 days ago (on August 28, 2022), and another project managed by it, pLOTTO, is suspected to have been attacked.Due to the architectural design of the Transparent Proxy, the change of the Admin role of the pGALA proxy contract can only be initiated by the proxyAdmin contract. Therefore, after the loss of owner privileges of the proxyAdmin contract, the pGALA contract has been at risk of being attacked at any time.In summary, the root cause of the pGALA incident lies in the leakage of the owner private key of the Admin role of the pGALA proxy contract on GitHub, and its owner address was maliciously replaced 70 days ago, resulting in the pGALA contract being at risk of being attacked at any time. (source link)

pNetwork: Previously, the "draining" of the pGALA pool detected high security risks, and the withdrawn BNB funds will be returned to uncollateralized pGALA holders

ChainCatcher news reports that the cross-chain protocol pNetwork has released an analysis of the previous GALA incident, stating that the team noticed a configuration error in the pNetwork cross-chain bridge for GALA on November 3. The team observed that due to the configuration error, the ownership of the pGALA smart contract (deployed on BSC) had been secretly taken over. The attacker who gained ownership of the smart contract did not launch any attacks, but this situation highlighted a high-security risk that needed immediate mitigation. Therefore, pNetwork contacted GalaGames to decide to suspend cross-chain bridge activities and execute a white-hat drain of the pGALA/BNB PancakeSwap pool in an attempt to preserve the BNB funds in that pool so that they could be returned to their rightful owners (liquidity providers) once the situation was under control. The white-hat drain recovered 12,977 BNB (approximately 4.5 million USD), and the funds will be returned to the holders of currently uncollateralized pGALA, with a snapshot taken on November 7, 2022, at 16:00.The cross-chain protocol pNetwork minted over 1 billion USD worth of pGALA in the early morning of November 4 after redeploying the pGALA contract to "crash" the original pGALA pool, or due to the failure to communicate with the Huobi platform, temporarily shutting down deposit and withdrawal services, which led to a large number of users transferring coins from DEX to the Huobi platform and subsequently selling, triggering a price crash. (Source link)

Huobi Global will set a tax burn mechanism for pGALA, with the tax used for repurchasing and destroying pGALA

ChainCatcher news, Huobi Global announced a notice regarding the pGALA tax burning mechanism on the BNB Chain, stating the following adjustments to maximize the protection of user asset security:The platform will close pGALA deposits;A tax burning mechanism will be set up, adjusting the pGALA spot trading fee to a bidirectional charge of 0.012 (1.2%), while other tax mechanisms within the platform will remain unaffected;All fee income will be used to repurchase and destroy pGALA, and the tax burning mechanism is expected to go live on November 5, 2022, at 0:00;All improper gains from the issuance of BNB Chain GALA tokens through deposits will be used to repurchase and destroy pGALA, and all trading fee income from GALA trading pairs on the platform from 0:00 to 24:00 on November 4 will be used to repurchase and destroy pGALA;Huobi will continue to negotiate with the project on behalf of users regarding compensation for asset losses caused by this incident.Previously, it was reported that the multi-chain routing protocol pNetwork caused the minting of over $1 billion worth of pGALA tokens on the BNB Chain due to a cross-chain bridge configuration error, profiting by selling on PancakeSwap. After proposing to rename the GALA bought during the abnormal event to pGALA and the project party agreeing to fully compensate users holding tokens before the incident, Huobi announced that GALA would be relisted. (source link)
ChainCatcher Building the Web3 world with innovators