The Ethereum Layer 2 network, Loopring, reported a significant security breach on Sunday, resulting in the theft of $5 million worth of tokens. The attackers compromised Loopring’s two-factor authentication (2FA) service, targeting the network’s Smart Wallets that relied on a single Guardian, specifically the Loopring Official Guardian.
Details of the Attack
Loopring’s Smart Wallet, known for its high security with social recovery, multi-signature support, and Layer 2 integration, was compromised when hackers bypassed the 2FA service. This allowed the attackers to impersonate wallet owners and gain approval for asset recovery from the Official Guardian. Once access was secured, the hackers transferred assets out of the affected wallets.
In response to the breach, Loopring has temporarily halted all Guardian-related and 2FA-related operations to prevent further incidents. The company also shared the wallet addresses used in the attack, revealing that one wallet drained approximately 1,373 ETH, valued at $5 million. The news caused Loopring’s native token, LRC, to drop by 2%.
Surge in Smart Wallet Adoption
Smart Wallets have gained popularity following the implementation of ERC-4337, which enabled account abstraction on the Ethereum mainnet. This update allows for wallet customization, automated transactions, multi-signature wallets, and social recovery features. Introduced by Vitalik Buterin in September 2021, ERC-4337 has significantly enhanced Smart Wallet capabilities, eliminating the need for recovery phrases.
Prior to ERC-4337, companies like Loopring and Argent had already developed their own Smart Wallet functionalities. More recently, Coinbase also launched its Smart Wallet. While Smart Wallets offer improved functionality and user experience, they also introduce new risks and attack vectors not present in traditional externally owned accounts (EOA) wallets.
In April, with the approval of EIP-3074 for Ethereum’s next major upgrade, Pectra, several key figures in the Ethereum community expressed concerns about increased vulnerability to scams. Itamar Lesuisse, co-founder of Starknet wallet provider Argent, warned that these new capabilities could enable scammers to drain entire wallets with a single off-chain signature.
Conclusion
The recent security breach at Loopring underscores the importance of continuously improving and securing Smart Wallets. While they offer significant benefits and enhanced user experiences, the evolving landscape of blockchain technology necessitates vigilance against new threats and vulnerabilities. Loopring’s response to the breach and the ongoing investigation will be crucial in restoring confidence and ensuring the safety of user assets in the future.