April 20 (Cointime) - Tales of Elleria, an immersive three-dimensional role-playing GameFi project built on Arbitrum One, has experienced an exploit, resulting in a loss of over $280,000 USD, its co-founder Wayne @crwy__ revealed on Twitter.
According to Wayne, the hacker generated his own signature and withdrew a large amount of $ELM in four transactions from the bridge. The contract used to verify signatures, specifically the ecrecover function, is suspected to have been exploited, allowing the hacker to generate authorization signatures without the private keys. The private keys were only exposed to a few individuals and AWS for backend deployment, and no leak was detected.
The project is asking for help in investigating the incident and assures the Ellerians that appropriate action will be taken to compensate for the loss and move forward.
@TalesofElleria
— Wayne (@crwy__) April 19, 2023
🧵1/? Findings
Our bridge contract was exploited, our LP was drained, and we lost over 280k USD.
The exploited contract: https://t.co/CFNAcxQWJW
The user seems to have generated his own signature and withdrew an obscene amt of $ELM, draining the LP.
Read full thread:
2/ The hacker's address: 0xf2cbF39e7668EbB113f2C609BBd6eA1dFCe5d376 He made 4 transactions, withdrawing an incremental amount of ELM from the bridge:
1st: https://arbiscan.io/tx/0x411938ac2e40c0c0011187427760c7bf37a3a94606343da2e626d13d8b8e92c8…
2nd: https://arbiscan.io/tx/0x376aaa9b8bdf452ea4bbc4a185e639cf30eff456d96ee117571dcbb6e9cf318c…
3rd: https://arbiscan.io/tx/0x51ec11ef35c4a558c4d266c310f9a643513f46d97a65f8369c2b30ee10e67c8d…
4th: https://arbiscan.io/tx/0x1184e6e0970595572c27242a42e33682d41a3b0e676c269b8da164bd2477f0e2
3/ ecrecover: Potential vulnerability in the contract used to verify signatures: https://arbiscan.io/address/0xe1bBe57b783F619Ff5f3dC575bE6e069bCCe04f5… Current findings suspect that the ecrecover function was exploited and the hacker was able to generate the authorization signatures without our private keys.
4/ Private Keys
We were very careful with the private keys for the signers, and it was only exposed to me, Quack, and to AWS for our backend deployment. We're all nerds and don't spend much time on other stuff other than dev, don't think there was a leak on this side :')
5/ If anybody can help and investigate, we'll appreciate you immensely
We'll be here and will take action appropriately to compensate and move forward. Stay strong Ellerians!
All Comments