Crypto gaming platform PlayDapp lost $290 million worth of tokens in two exploits over the course of four days, with the attacker ignoring a $1 million “white hat reward” to return the stolen funds.
Posted February 13, 2024 at 11:24 pm EST.
South Korean-based crypto gaming platform PlayDapp lost millions of dollars’ worth of funds in a series of exploits that blockchain security researchers believe was the result of a private key compromise.
The first exploit took place on Feb. 9, when an unauthorized wallet minted 200 million PLA tokens worth $36 million at the time. Blockchain security firm PeckShield noted that the exploit appeared to be the result of a private key leak.
Hi @playdapp_io, you may want to take a look.
New 200m $PLA tokens were just freshly minted. It seems to be a private key leak and the new minter was just added in the following tx: https://t.co/tyxDksNwSt pic.twitter.com/SkjZsTjtdQ
— PeckShield Inc. (@peckshield) February 9, 2024
“The PLA token contract has been hacked and additional PLA tokens have been issued. We understand the gravity of this situation and assure you that we are taking immediate action,” wrote the PlayDapp team in an X post shortly after.
PLA is the native token of the PlayDapp platform, which acts as the primary token for processing transactions and is paid out to game developers when they make in-game purchases.
After the exploit, PlayDapp sent the hacker an on-chain message requesting the return of stolen funds by Feb. 13 in exchange for a “white hat reward” of $1 million.
However, the exploiter minted another 1.59 billion PLA tokens on Feb. 12, worth $253.9 million at the time.
“These tokens are already beginning to be laundered – being sent to cryptoasset exchanges and other accounts,” wrote blockchain security firm Elliptic in a blog post.
Elliptic noted that the total circulating supply of PLA tokens was 577 million prior to the attack, meaning that the exploiter may find it difficult to sell the 1.8 billion newly-minted tokens at anything close to their market value prior to the hacks.
PlayDapp has since paused the PLA smart contract and requested users to halt transactions ahead of a snapshot for a planned migration. The platform also said it is working with crypto exchanges, blockchain forensic firms and law enforcement to mitigate the damage.
We request the halt of transactions because we will conduct a migration based on the snapshot shortly.
— PlayDapp (@playdapp_io) February 13, 2024
The value of PLA dropped 15% over the last seven days to a low of $0.1394 at the time of writing.