Loopring Suffers Security Breach Through Guardian 2FA Service, $5 Million Stolen

Loopring Suffers Security Breach Through Guardian 2FA Service, $5 Million Stolen

Loopring, a zkEVM protocol built on Ethereum, recently experienced a security breach involving its ‘Guardian’ two-factor authentication (2FA) service, as announced on Sunday. The platform, which promotes its smart wallet application as “Ethereum’s most secure wallet,” encountered issues when a hacker managed to exploit its Official Guardian service.

The Guardian service allows users to appoint trusted wallets or institutions to aid in security tasks like locking a compromised wallet or restoring access if the seed phrase is lost. However, the hacker bypassed Loopring’s Official Guardian to authorize recoveries on wallets using that single guardian, without user consent. According to Loopring’s website, initiating transactions requires approval from more than half of the guardians, which meant that wallets with multiple guardians or those using third-party guardians were safe from this exploit.

Loopring disclosed two wallet addresses involved in the breach, revealing that one wallet managed to siphon approximately $5 million worth of tokens from the affected accounts.

In their announcement on X, Loopring stated, “We are actively collaborating with Mist security experts to understand how our 2FA service was compromised. To protect our users, we have temporarily suspended Guardian-related and 2FA-related operations. Following this action, the breach has ceased.” The protocol also mentioned that it is working with law enforcement to track down the hacker and urged anyone with information to come forward.

While the breach was unexpected, Loopring’s risk disclosure does acknowledge potential vulnerabilities in its Guardian service, advising users to appoint at least three guardians. “After your Wallet is created, we will add Loopring Official Guardian service to your Wallet by default. As a centralized service, Loopring Official Guardian may be attacked and controlled by hackers,” the website states.

Following the announcement of the hack, Loopring‘s native token experienced a 5% drop in value over the last 24 hours, according to The Block’s Price Page. Loopring has not yet provided further comments on the situation.