• Blockbasis
  • Posts
  • Gala Games: Investigating the $216M Crypto Exploit

Gala Games: Investigating the $216M Crypto Exploit

A Deep Dive into Gala Games' $216M Crypto Exploit: Unveiling Insider Heists, Legal Troubles, and the Ongoing Struggle for Trust in the Blockchain Space

Author

Blockbasis
May 23, 2024

In partnership with

TL;DR

Gala Games experienced a $216M exploit due to an access control failure, leading to unauthorized minting of $GALA tokens. The incident follows a history of security breaches and legal disputes. Key players' recent departures add to suspicions, while efforts to stabilize the token highlight ongoing challenges in maintaining trust.

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

A potential hacker took control of an admin address to mint an astonishing 5 billion GALA tokens, valued at $216 million. Before Gala Games could blacklist the rogue address, the hacker swiftly sold 592 million tokens for $21.8 million in ETH.

The exploit was first noticed by Devops199fan, who observed the rapid minting and dumping of GALA tokens in batches of 100 ETH on 0xProject. Hours later, Gala Games confirmed the breach, describing it as an isolated incident and announced their collaboration with law enforcement to identify those responsible.

To mitigate further damage, the Gala team utilized a blocklist function to prevent the hacker from continuing their activities. This function was introduced a year earlier in the V2 contract, proving its worth during the crisis. According to Benefactor from Gala, the ETH contract for GALA remained secure and protected by a multi-sig wallet.

Benefactor also mentioned, “We believe we have identified the culprit and are currently working with the FBI, DOJ, and international authorities.”

On a day marked by a significant market uptrend, GALA token found itself ensnared in a sudden downturn. Just prior to the incident, Bloomberg Intelligence analyst Eric Balchunas increased the likelihood of the Securities and Exchange Commission approving certain crypto products from 25% to 75%, sparking a market surge.

Contrary to the rising tide buoying other tokens on news of a potential Ethereum ETF approval, GALA experienced an initial plunge of approximately 20%, sharply diverging from the general market rally.

As the market processed the ramifications of a security exploit, investor anxiety triggered a sell-off, causing GALA's price to tumble. Despite a partial recovery in the following hours, the damage was substantial, and GALA struggled to harness the positive market momentum that benefited its peers.

The day after the breach, the exploiter returned the funds. However, the critical question lingered: who orchestrated this audacious attack on Gala?

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

At the heart of what could have been a $216 million crypto heist was a serious failure in access control.

The hacker allegedly gained unauthorized access to a powerful admin account on the GALA token contract, enabling the attack on Gala Games.

Hacken's breakdown of the incident revealed that the exploit involved an "Access Control" attack vector. The attacker took control of an inactive MINTER account on the GALA token contract, which had been unused for 180 days.

The hacker minted 5 billion $GALA tokens to a new address, which was dubbed the “Gala Game Exploiter.”

Following the minting, the compromised account sent 2 ETH to Gala Game Exploiter, likely to cover gas fees for further transactions.

The exploiter then began swapping the newly minted GALA for ETH, completing transactions up to 100 ETH.

Two hours and sixteen minutes later, Gala admins intervened, blocking the exploiter’s account to halt further transactions.

Blocked Account: 

The exploiter transferred all the stolen ETH back to the Minter account.

Minter Account: 

Subsequently, all the ETH was moved from the Minter account to a new externally owned account, possibly by the Gala team to secure the funds.

Three days before the exploit, Jason Brink, also known as Bitbender, announced he was transitioning from his role as President of Blockchain at Gala to an unpaid advisory position.

Adding to the intrigue, Jason Brink announced that several individuals would be resigning from their positions at Gala to establish an external organization, LFG (Let’s Fight Giants).

The timing of this move raises eyebrows, particularly in light of Gala Games' checkered past.

In early 2021, Gala Games suffered a $130 million loss when approximately 8.65 billion GALA tokens were stolen. Co-founder Eric Schiermeyer filed a lawsuit against his counterpart, Wright Thurston, alleging involvement in the theft.

Thurston retaliated with his own lawsuit, accusing Schiermeyer of misusing company funds for personal gain, as previously reported by The Block.

Further complicating matters, the United States Securities and Exchange Commission sued Thurston and another company in March 2023 for allegedly vending $18 million worth of unregistered securities in the form of GREEN, a cryptocurrency linked to a global decentralized power grid.

In November 2022, Gala Games attempted to reassure its community after concerns over a potential multibillion-dollar rug pull or hack caused the GALA token to plummet by 25.6%. This panic ensued when a single wallet address seemingly generated over $2 billion in GALA tokens seemingly out of thin air.

The parallels with the previous minting incident are striking.

With a history marked by unexplained billion-dollar mintings and a $130 million insider heist, the latest $216 million incident hints at possible internal subterfuge.

Is Gala the one orchestrating these games?

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

The shadow cast by previous incidents at Gala Games, including insider heists and legal troubles, contributes to the aura of suspicion now surrounding the company.

The departure of key figures just days before the latest exploit and the history of unexplained token mints do little to allay fears. In a space where trust is paramount, Gala Games finds itself at a critical juncture. The next steps it takes could either restore confidence or further erode its standing within the community.

In response to the latest incident, DWF Labs announced the purchase of 28 million $GALA tokens ($1.2M) to stabilize the token's value and express support for Gala.

So, perhaps business will carry on as usual, and any suspicions may be swept under the rug again.

In the fast-paced crypto space, where attention spans are short and memories even shorter, the market's resilience—often bouncing back from scandals and breaches—testifies to the robust enthusiasm for blockchain technology.

Will Gala Games rebound with greater strength and security, or will it ultimately become a cautionary tale?

Only time will tell if these red flags are truly coincidences or indicators of deeper issues within.