Incident Report: Unauthorized Token Minting – Blockchain Game Partners Inc.
Overview
On May 20, 2024, Blockchain Game Partners Inc. (“Company”) experienced a security breach involving a third-party contractor (“Malicious Actor”) that led to the unauthorized minting of 5 billion $GALA tokens. The Company promptly responded to the incident, successfully stopping the malicious actor, and has now enhanced security measures to prevent future breaches.
This report outlines the incident details, the measures taken, and ongoing actions against the individual involved.
Incident Details
- Unauthorized Minting: A malicious actor compromised the private key of an address with a minter role for the Ethereum side of the $GALA platform, minting 5 billion tokens. The contract itself was never breached, and all internal processes have been corrected, including removing unauthorized users.
- Token Handling: The malicious actor returned the ETH obtained from selling GALA, which has been used to buy back and burn tokens. The 5 billion tokens created by the actor will be burned.
- Security Measures: The exploited contract and wallet were blocklisted immediately, and the Ethereum contract remains secured via a multi-sig contract with geographically separated signers.
Investigation and Identification
- Suspect Identification: The malicious actor was identified through usage patterns in other activities and within our network
- Historical Context: These patterns were previously connected to a smaller exploit, indicating privileged access misuse rather than an external software exploit
Response and Mitigation
- Immediate Actions: The attack was halted, and funds were frozen using blocklist functionality
- Collaboration with Authorities: The case has been referred to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI) for further investigation
- Community Communication: We have proposed options via a Node vote to the community on the path forward
Security Improvements
- Review and Audit: An internal review of security protocols and contractor access is underway to prevent future incidents
- Enhanced Measures: Strengthening access controls, key management practices, and implementation of additional layers of security for critical operations. These include, but are not limited to:
- Migration from user based IAM access to Okta SAML + Identity Center with restrictive permissions sets
- Redesigned AWS and other RBAC permissions models to be context specific to role and team/product(s)
- Fixes for shipping AWS Security Center and other related logs
- Enabled AWS Macie and other sensitive data tooling
Liquidated Token Burns
Following their liquidation of the tokens, and once a public statement had been made that we knew the identity of the malicious actor, the malicious actor sent back 5,912 $ETH to the main Gala Finance Cold Wallet. The Gala Team then bridged this ETH into GalaChain and used it to purchase $GALA tokens, which were then burned.
- https://etherscan.io/tx/0xfe786355f9e36c490c1f73922cc4e623ff0cffe2e1a3bbb3d32483a0f64dc699
- https://etherscan.io/tx/0xaa6eb41d0cea3ec1c3638db1b6fe980847e7557912592ca5527d19a4008a8781
- https://etherscan.io/tx/0xa0cdf5aaa7fe7360f150879b3347ef287963148c9f6c7df3ff2230bf7e2b1e52
- https://etherscan.io/tx/0xf89a03cf5f9c5fc9c5357bd6cb0a0f5d92bbd69f00079f3af3bedc1099d68487
- https://etherscan.io/tx/0x6bf1f633f4de55e01d07c43df5b1bbcf073a87caa36656ba4e7719e86a9069b4
- https://etherscan.io/tx/0x3d1098c85c727ef94fd5da41247b97fcdf6d98209cc861ac301cd99ec6a0371f
- https://etherscan.io/tx/0x1541280aa8239f6c4cc9f003df7f381c87bb30d52a99d7ba86c7e6aa9ded67c6
Due to price movement, this number did not yet total the amount the attacker liquidated. An additional burn was conducted from Gala’s wallets to remove the full balance from circulation.
Illegally Minted Token Burn
Following a governance vote to the Founder’s Node Operators, a plan has been enacted to remove the illegally minted supply from circulation.
This will take place using the following actions via a multi-sig wallet.
- Upgrade contract to add new function: burnExploitedTokens()
- Exploiter’s address will be hardcoded into the function so there is no way it can be misused
- This function will have an admin-only modifier so it cannot be executed by anyone other than the multi-sig wallet
- Execute burnExploitedTokens() to remove the exploited tokens from circulation
- Upgrade contract to remove function burnExploitedTokens() functionality and revert the contract to its previous state
This took place in a single block: https://etherscan.io/tx/0x59d87edc805a83f1c6397f053dc3ffe159e3a752192bf709aac21d9d6bf71fb5
Next Steps
- Continue collaboration with DoJ and FBI to see that justice is served
- Implement and communicate enhanced security measures
This comprehensive report underscores our commitment to maintaining a secure and trustworthy platform for all GalaChain users. We’ve also published a blog post about it (https://news.gala.com/galachain/unauthorized-wallet-locked-down-in-record-time-funds-returned-as-security-measures-prove-effective/).
Conclusion The quick identification and response to the security breach ensured no threat to GalaChain users or $GALA holders. The ongoing collaboration with law enforcement and proposed community actions aim to enhance the security and integrity of the system.