In June 2024, users of the Loopring wallet suffered a hack. In total, the attackers managed to steal an estimated $5 million from users who only used the wallet’s own Official Guardian service to protect their wallets.
Inside the Attack
Loopring is a cryptocurrency wallet designed to offer a greater degree of security to users than those of other blockchain wallets. Typically, a user practicing self-custody is solely responsible for securing the private key used to digitally sign transactions from their wallets. If that private key is stolen, then the attacker can steal funds from the user’s wallet. If it is lost, then the cryptocurrency held in that account may be lost forever.
Loopring provides users with additional protection against theft or loss by allowing users to define trusted “Guardians” for their wallets. These Guardians have the power to lock the wallet — blocking unauthorized transactions from it — or restore access to the wallet if it is lost. Users can either define their own Guardians or entrust this social recovery process to Loopring’s own Official Guardian service. If a Loopring user defines two or more Guardians, then a majority of them must approve any request to lock a wallet or restore a private key.
If a user elects to use the Official Guardian service, then Loopring uses two-factor authentication (2FA) to authenticate their identity if they request a social recovery service. However, the Loopring attacker identified a flaw in this 2FA service that allowed them to masquerade as the legitimate owner of wallets who relied solely on Loopring’s Official Guardian service as their means of social recovery. After successfully defeating the 2FA used to protect the wallet’s Recovery service, the attacker was able to access private keys and transfer crypto out of affected accounts.
Lessons Learned from the Attack
In theory, the Loopring Guardian system provides a means of addressing the two biggest risks to blockchain users: private key theft and loss. A social recovery system based on a majority vote of user-selected trusted parties helps to offset the most significant threats to self-custody.
The Loopring hack was made possible by a couple of different errors. One was that the Loopring Official Guardian service’s 2FA contained errors that allowed an attacker to bypass it. When designing and implementing authentication systems, it’s vital that they have ironclad security — especially when they’re protecting millions of dollars for users.
The other mistake affected the users’ sole reliance on the Official Guardian service to secure their social recovery mechanism. If these users had even one other Guardian — including another wallet they owned — then the attacker couldn’t have controlled the majority vote for recovery. Centralized systems are prime targets for attackers, especially when a single vulnerability can be used to target many users.