The hacked play-to-earn non-fungible token (NFT) platform Vulcan Forged, which offers over six blockchain games, a decentralized exchange (DEX), and an NFT marketplace, said it has refunded the majority of affected users from its treasury.
The platform fell victim to a hack on Monday and lost around USD 140m.
The team detailed that a hacker got hold of the private keys to 96 ‘My Forge’ wallets and ran away with approximately 4.5m vulcan forged (PYR) tokens, which constitutes 9% of the token’s entire supply and 23.7% of its circulating supply.
“All My Forge wallets have been secured. Only a few needing PYR back,” the developers said in a tweet, adding that the new wallet system is expected to go live within two days.
The team has also shared the wallet responsible for the exploit, claiming that they are working to identify footprints and that they “have isolated the tokens stolen from all [centralized] exchanges.”
Jamie Thomson, CEO of Vulcan Forged, appeared in a video to give further details about the incident. He said there wasn’t a problem with Venly, the wallet solution provider that the platform uses – rather the hacker managed to attack the semi-custodial wallets.
“What’s happened is that someone’s exploited our servers, got the Venly credentials, and used it to extract the private keys of the MyForge users,” Thomson said.
Thomson insisted that the incident has motivated the team to adopt a 100% decentralized solution. “Going forward, of course, we’re going to be using nothing but decentralized wallets so we never have to encounter this problem again,” he said.
“The attack was possible because all the private keys to all of the project’s wallets were held centrally on a single local network,” Gleb Zykov, Co-Founder and Chief Technology Officer of HashEx, a blockchain advisory and security audits company, told Cryptonews.com, adding that decentralized wallets more known as multisignature wallets make this kind of exploit much more difficult.
“Classic DeFi attacks do not particularly hack anything, they just exploit the opportunities given by smart contracts’ code itself. Sometimes, classic DeFi attacks exploit a sequence of smart contracts using flash loan protocols that allow to borrow uncollateralized loans. In this type of attack, the hacker drags the loaned liquidity through a series of smart contracts to manipulate the market in his or her favor, pockets the profit made through a pump-and-dump operation, and returns the loan. But here the liquidity was just transferred from wallets using the private keys to a different wallet or wallets,” Zykov explained.
Meanwhile, PYR tanked between December 12 and December 13, from USD 32.3 to USD 21.66, losing nearly 33%. At 10:15 UTC on December 15, PYR is trading at USD 21.7, having gone down 6.5% in the past day.