PlayDapp Exploit— Post-Mortem of a $290M Heist

Crypto gaming platform PlayDapp has suffered an access control breach resulting in the loss of $290 million worth of PLA tokens.

Summary

Between February 9th and 12th, 2024, PlayDapp — a popular Ethereum-based South Korean crypto gaming and NFT platform — was exploited twice, resulting in a loss of $290 million. All clues point to a private key exploit that allowed the addition of a new minter to PlayDapp just before the hack took place. Although the attacker succeeded in minting 1.79 billion PLA on two occasions, they were only able to convert $32 million out of the initially stolen $290 million, which they scattered across various EOAs and chains in an attempt to obfuscate their trail. As of now, despite a $1 million reward being offered as a bug bounty in exchange for the return of all assets, the exploiter has yet to make themselves known.

Vulnerability Analysis

On-chain Attack Breakdown I

Attacker’s Initial Address: 0xD151050d43c28690766f50Ce9ea8686c5D243a40

Attacker EOA/2: 0x1cae9eAa76E880fe47A26dd838E5Ec056C289155

Attacker EOA/3: 0xe84d086f2c402d297d05b1bccc06d0e0942ec03c

Attacker EOA/4: 0x23cAeE3666b553445e430D1635AD64fBF388B07d

Victim contract : 0x3a4f40631a4f906c2bad353ed06de7a5d3fcb430

Involved contract: 0x6f53E6F92E85C084E10AAf35D4A44DEE6a27892d

Attack Transactions

• Tx1:0xe8be05f6a3360f63b9e78a30b4ba16ea4c7d0b530a8abf99390f1c831851fb7e
• Tx2:0xc41687511e31f5612b73647c4b39e500e45dbfb2ae66789b7b8705d2336002f8
• Tx3:0x5f73c86a516616e25b3d13188f3289472d22a06cb1029ff174e00596a97e13b9
• “Add Minter” Tx4: 0xe834f28377b79759ac5495a91975a01e0876af9aae312228c1ac525846406170

On-chain message from PlayDapp to the hacker: 0xb8c379f3ae8ea3ba48cdb7dac79c9b995f0e7a372a8bf9d620a6bfc875a31628

Attack Process

• The contract deployer’s address has been compromised reportedly due to a private key exploit.
• The compromised and unauthorized wallet added the attacker address as a minter for the PLA Token
• First attack: More than 200 million PLA tokens valued at $36.5 million were minted on Feb. 9, which represents 72% of the total supply originally minted.
• Second attack: 1.59 billion more PLA, worth $253.9 million at the time, was minted on Feb. 12.

Attack Transactions

Flow Funds

The attacker managed to convert only $32 million of the stolen tokens as the influx of newly minted tokens presents a significant obstacle for the hacker. With the total circulating supply of PLA standing at $577 million before the exploit, liquidating such a vast quantity, particularly at pre-hack market values, poses a huge challenge.

PlayDapp hack visualized, hacker minted 72% of the total supply originally minted. Source

This influx not only highlights the audacity of the attack but also the complexities involved in offloading such a substantial volume of tokens without raising suspicion.

As of February 13, 2024, a significant portion of tokens remain with the attacker.

The stolen tokens were distributed through different transactions:

• Binance Deposit Transaction
• Gate.io Deposit Transaction
• Polygon Chain Bridge Transaction

Exploit Timeline

09–02–2024: An unauthorized wallet, likely resulting from a private key compromise, minted 200 million PLA tokens valued at $36.5 million. This unauthorized minting occurred after the addition of a new minter, PLA Token, to the PlayDapp platform.

In response to the exploit, PlayDapp messaged the exploiter, offering a $1 million white hat reward for the safe return of stolen assets by February 13.

10–02–2024: PlayDapp sent an on-chain message to the exploiter, offering a $1 million white hat reward for the safe return of stolen assets by February 13th.

Message sent by PlayDapp to the exploiter after the initial February 9 breach.

The total circulating supply of PLA tokens before the exploit was $577 million. The PLA token plunged after the breach. It last traded 0.4% lower on Wednesday at around $0.14, and is down over 15% in the past week.

12–02–2024: Perpetrator minted an additional 1.59 billion PLA tokens worth $253.9 million.

13–02–2024: PlayDapp paused the PLA smart contract, aiming to take a screenshot for migration amid ongoing hacking.

Discussions initiated on potential recovery strategies, including token migration.

Coinbase suspended PLA token trading following the platform’s smart contract pause.

PLA token’s value experienced fluctuations, sinking significantly after the breach but with slight recovery observed.

The wallets associated with the exploiter have already been labeled as malicious in Nefture’s security tools, ensuring the continuous protection of our clients against exploits, hacks, scams, and financial risks.