pGALA Contract Private Key Exposed On GitHub For 70 Days: SlowMist

Blockchain security firm SlowMist discovered that a private key that provided access to pGALA’s upgrade contract had been exposed on GitHub for more than two months.

In an analysis published on Monday, SlowMist outlined what could be the cause of last week’s controversial pGALA exploit.

On Nov. 4, multi-chain routing protocol pNetwork said it noticed a misconfiguration of the bridge contract that made it vulnerable to an exploit and then drained the liquidity pool.

Crypto exchange Huobi alleged that pNetwork’s move was a premeditated theft rather than a white hat operation to recover funds.

While GALA Games sided with pNetwork’s version of events, SlowMist’s revelations would suggest the underlying vulnerability had been around for far longer.

SlowMist said the leaked keys allowed “any user with access to this private key to control the proxyAdmin contract and upgrade the pGALA contract at any time.”

The analysis found that the owner of the proxy admin contract address was updated on Aug. 28, meaning the pGALA contract was vulnerable for at least 70 days.

“Once the owner permission of the proxyAdmin contract was compromised, the pGALA contract became vulnerable to an attack,” said SlowMist.

The confusion around a potential exploit caused the price of GALA to drop 30% last Friday. The token has since recovered, and last traded for $0.03515.