Loopring, the ZK-rollup based protocol built on Ethereum, had its two-factor authentication based Guardian wallet recovery service compromised in a hack, the company recently disclosed.
About $5 million was drained from wallets protected by Loopring’s Guardian service, blockchain data shows.
The zkEVM protocol built on Ethereum with a website that bills its smart wallet application as “Ethereum’s most secure wallet,” suffered a security breach related to its ‘Guardian’ two-factor authentication service, the protocol announced on Sunday.
Through the Guardian service, users can elect to name wallets of trusted individuals or institutions to assist in security operations such as locking a compromised wallet or restoring one if the seed phrase is lost. However, a hacker managed to bypass Loopring’s own Official Guardian service to instigate recoveries on wallets with that single guardian without the users’ permission, Loopring disclosed in its announcement. As more than half of guardians are needed to instigate transactions, according to Loopring’s website, wallets that used multiple guardians or a different, third-party guardian were protected from the exploit.
Loopring also shared two wallet addresses the protocol says were involved in the security breach. Blockchain data shows one wallet was able to drain about $5 million worth of tokens from the affected wallets.
“We are actively collaborating with Mist security experts to determine how our 2FA service was compromised. To protect our users, we have temporarily suspended Guardian-related and 2FA-related operations. Following this action, the compromise has ceased,” the protocol wrote in its announcement on X.
Loopring also reported that it’s working with law enforcement to trace the perpetrator and requested that anyone with additional information about the hack share it with the protocol.