In February 2024, PlayDapp, a blockchain game application, suffered a hack. The attacker exploited vulnerabilities in the project’s smart contracts to steal an estimated $290 million from the project. This incident occurred across two attacks, performed February 9th and 12th 2024.
Inside the Attack
The PlayDapp hack was made possible by an access control vulnerability in the project’s smart contract. By exploiting this vulnerability, the attacker was able to add themselves as an official minter on the project.
With minting powers, the attacker could create new tokens out of thin air. In the initial attack, they created 200 million PLA tokens, which are worth an estimated $36.5 million at the time. These tokens could be sold on exchanges, allowing the attacker to cash out from their attack and crashing the value of the smart contract.
The PlayDapp team responded to the attack by attempting to negotiate with the attacker. However, the hacker was not willing to return the assets and, in fact, carried out a second malicious minting of another 1.59 billion PLA tokens worth $253.9 million.
After the attack, the project paused the vulnerable PLA smart contract, froze tokens on exchanges, and requested that users stop performing transactions on with the PLA tokens. It took a snapshot of current account balances for use in a migration designed to mitigate the effects of the attack.
In total, the attacker minted approximately 1.8 billion PLA tokens. This is several times larger than the 577 million in circulation before the attack, indicating that the attacker will likely have significant difficulty trading them for anything near their previous market value. This is especially true given that the minted tokens are being tracked and frozen on exchanges.
Lessons Learned from the Attack
The PlayDapp hack demonstrates the importance of strong access controls for critical functions in smart contracts. As demonstrated in this incident, the ability to mint tokens poses a significant risk to a project and its users since an attacker can devalue existing tokens and make money from their attacks by selling these fake tokens on exchanges.
Often, the vulnerabilities that allow exploits like this can be identified and remediated as part of a smart contract security audit before vulnerable code is launched and places a project and its users at risk. For more information about scheduling a smart contract audit for your DApp, get in touch with Halborn.