PlayDapp Suffers $32.35 Million Security Breach

Summary

On February 9, 2024, PlayDapp, a Play to Earn (P2E) game based on Ethereum, experienced a security breach due to compromised private keys. The attacker exploited the platform and minted a total of 3.38 billion PLA tokens, which was worth nearly $617 million at the time of an incident. However, the attacker managed to convert the tokens for $32.35 million. The stolen funds were transferred to various addresses, with some deposited into the Polygon chain and Binance exchange, while a significant portion remains in the attacker’s address as of February 13, 2024.

Attackers

The identity of the attacker remains unknown. The attacker used the following Ethereum addresses:

Losses

PlayDapp suffered a loss of approximately $32.35 million due to the security breach.

Timeline

February 9, 2024, 01:39 PM UTC: The attacker granted minting privilege to himself using a compromised wallet.
February 9, 2024, 01:45 PM UTC: The first malicious transaction occurred with over $14 million worth of PLA tokens minted.
February 9, 2024, 01:54 PM UTC: Over $3.5 million worth of tokens were bridged to the Polygon chain.
February 9, 2024, 05:00 PM UTC: The attacker started depositing tokens to the Binance exchange.
February 9, 2024, 09:01 PM UTC: PlayDapp posted a tweet, claiming they are working along with partner exchanges to resolve an issue.
February 10, 2024, 04:20 AM UTC: The part of the tokens were deposited to Gate.io exchange.
February 10, 2024, 05:28 AM UTC: PlayDapp announced on X about transferring of the rest PLA tokens to a new wallet to safeguard assets.
February 10, 2024, 01:52 PM UTC: PlayDapp offered a $1 million white hat reward to the attacker.
February 11, 2024: Neptune Mutual posted detailed analysis of the incident.

Security Failure Causes

Compromised Private Key: The root cause of the exploit is reportedly due to the compromise of the private keys of the privileged address.