In January 2024, the Animoca-backed GAMEE gaming platform experienced a hack targeting its GMEE token. The root cause of the incident was determined to be unauthorized access to the project’s smart contracts, leading to an estimated $7 million in losses.
Inside the Attack
The GAMEE hack was made possible via unauthorized access to the project’s GitLab environment. Like GitHub, GitLab is a version control system designed to implement a centralized repository and track updates to a codebase. The attacker identified a vulnerability in GAMEE’s GitLab environment, granting them access to an old version of the project’s repository.
Inside this old repository was a copy of the private key used to control the project’s deployer address on the Polygon blockchain. With access to this private key, the attacker was able to execute a recoverERC721s function to transfer approximately 600 million GMEE tokens to attacker-controlled wallets.
After the exploit was discovered, the GAMEE team froze its Polygon-Ethereum bridge and stopped trading and deposits for its contracts. It also worked to regain control over the compromised contracts by transferring them to a new address. Post-response, an estimated 200 million tokens were under the attacker’s control on the Polygon blockchain, but the project had secured its contracts and community-owned funds.
The project has patched the vulnerability that enabled the GitLab exploit and is performing an in-depth analysis of the exploit. Additionally, the project has announced its intent to deploy additional security measures and implement a bug bounty program to help prevent similar incidents from occurring in the future.
Lessons Learned from the Attack
The GAMEE hack was made possible by a few security gaps within the GAMEE project. One was that private keys were stored in a GitLab environment that lacked vital security patches. By identifying and exploiting this vulnerability, the attacker gained control over the private key for the project’s deployer address, both enabling the attack and forcing a change to a new address.
The attack was also enabled by the design of GAMEE’s contracts and Polygon bridge token. The existence of a recoverERC721s function made it possible for the attacker to steal the 600 million GMEE tokens. This vulnerability could also have been exploited in a rug pull if a malicious team member used their access to the deployer address in the same way as the attacker did.
Incidents like this underscore the importance of a comprehensive security program and protection against supply chain attacks. To learn more about how to address these risks, get in touch with Halborn.