In May 2024, Gala Games suffered a hack that exploited poor access control on a privileged account. The attacker managed to mint 5 billion GALA tokens worth an estimated $200 million.
Inside the Attack
The Gala Games hack was made possible by poor access control over the private key associated with one of the protocol’s privileged minter accounts. This account hadn’t been used for approximately six months before being compromised by the attacker.
While the project’s smart contracts had access controls on its mint function, the compromised account was one of those with the ability to execute that function. As a result, the attacker was able to mint 5 billion GALA tokens worth $200 million and moved them to a personal account. They then began trading the GALA for ETH in batches of as much as 100 ETH.
A couple of hours after the attack occurred, the Gala Games team identified it and used its blocklist functionality — added a year earlier — to block the attacker’s address. After this occurred, the attacker moved all of the tokens back to the compromised minter account. The tokens were then moved to another account, presumably by the Gala Games team in an attempt to secure control of the funds since the minter account was compromised.
Lessons Learned from the Attack
The Gala Games hack is a demonstration of the importance of secure, decentralized access management for privileged accounts. The compromised account in question had the ability to perform privileged actions, such as minting tokens. The long dormancy of the account hints that maybe the attack was enabled by poor security for private keys for an unused and forgotten account.
However, it has also been suggested that the Gala Games hack might have been an attempted rug pull by an insider. Some members of the Gala team — including its President of Blockchain — departed the organization three days before the hack occurred. Additionally, the organization had a past history of infighting and what looked like another minting attack in November 2022 when pNetwork attempted to fix an issue with pGALA on PancakeSwap.
Regardless of the attacker’s affiliation — internal or external — entrusting a single private key with managing privileged access is dangerous. Using a multi-signature wallet instead reduces the risk that a single compromised or abused private key could harm a protocol and its users.
For help in designing secure governance protocols for your onchain project, reach out to Halborn.