The turmoil of the abnormal issuance of pGALA by the multi-chain routing protocol pNetwork is not yet over. Huobi created controversy in the community because it changed the GALA token of some users identified as arbitrage “wool party” to pGALA. Just who is right and who is wrong in this matter?
The turmoil of the abnormal issuance of pGALA by the multi-chain routing protocol pNetwork is not yet over. Huobi created controversy in the virtual assets community because it changed the GALA of some users identified as arbitrage “wool party” to pGALA. Just who is right and who is wrong in this matter?
Event review: pGALA issued more days, Huobi did not close the redemption and withdrawal in time
At 4:00 on November 4th, the virtual assets community began to spread news that the chain game platform Gala Games token Gala (BNB chain) had dropped rapidly and sharply. Originating from the multi-chain routing protocol pNetwork, more than US$1 billion worth of pGALA tokens were minted out of thin air on the BNB chain, and sold on PancakeSwap. This caused the Gala tokens on the BNB chain to drop directly from US$0.04 to US$0.0000045.
Subsequently, community users discovered that there was a huge price difference between the Gala token on the BNB chain and the centralized exchange, and they poured in a large amount of funds to buy the Gala token on the BNB chain to recharge and sell it on the centralized exchange. At that time, Binance and other exchanges had suspended the Gala recharge on the BNB chain, and the Huobi recharge channel was still open. The user completed the arbitrage by moving bricks through Huobi, causing the Gala on the Huobi exchange to drop sharply, from US$0.04 to US$0.0003.
pNetwork tweeted at 4:28 on November 4th that the minting of pGALA tokens exceeding US$1 billion out of thin air was caused by a misconfiguration of the cross-chain bridge. It said the pGALA contract on the BNB chain needed to be re-deployed, and it was working with the Gala Games team and PancakeSwap to obtain the account balance of pGALA users, and restore the deposit and withdrawal function. After the new contract was deployed, new pGALA tokens would be airdropped at a ratio of 1:1.
Based on what the security team SlowMist observed, pGala contract hackers had converted most of the Gala into 13,000 BNB, making a profit of more than US$4.3 million. At that time, the address still had 45 billion Gala, but it was not encashed because the fund pool was basically depleted.
From 9:00 on November 4th, Huobi released five consecutive announcements on the progress of handling abnormal events on the Gala token chain. The announcement stated that Gala tokens would be delisted, and the time node of the accident will be determined as the dividing line. After the incident, the purchase operation will be executed for users, the platform will rename the purchased Gala assets to PGALA (PGALA has nothing to do with the original Gala token, it belongs to a meme token). For those who held Gala tokens before the incident, the Gala project party agreed to make full compensation in the form of a 1:1 proportional airdrop of Gala on the Ethereum chain. At the same time, it said that it will continue to negotiate with related projects on behalf of users to compensate users for asset losses caused by the incident.
At 12:00 on November 5th, Huobi said it would re-list Gala and pGala tokens. For the pGala token, Huobi had set up a tax and fee burning mechanism, adjusted the PGALA spot transaction fee to 1.2% in both directions, and used all the fee income to repurchase and destroy pGala tokens.
According to pNetwork’s official Twitter channel, no information was released to the community for two days, apart from an announcement disclosing the existing problems when the incident happened. Faced with constant questions from the community, pNetwork did not release the post-event analysis of the pGala incident until 2:00 on November 6th.
According to the analysis report, at 1:52 on November 4th, the team noticed a configuration error in GALA’s pNetwork cross-chain bridge. Due to a misconfiguration, the ownership of the pGALA smart contract deployed on the BSC had been secretly taken over. The fund pool stood at US$400,000. At that time, the attacker who obtained the ownership of the smart contract did not launch any attacks.
At 3:11 on November 4th, pNetwork contacted GalaGames to suspend the cross-chain bridge activities, and drained the pGALA/BNB PancakeSwap pool through the white hat operation. This was an attempt to keep BNB funds in the pool, so that after the situation was under control, the funds could be returned to all its liquidity providers.
At 4:13 on November 4th, pNetwork issued an additional 27,814,200,000 unsecured pGALA to drain the pGALA/BNB PancakeSwap pool. Subsequently, an additional 27,814,200,000 unsecured pGALA tokens were issued.
As mentioned above, at 4:28 on November 4th, GalaGames and pNetwork tweeted to indicate the problem, reminding community users not to buy Gala tokens on the BNB chain. After the dissuasion was ineffective, at 4:29 on November 4th, pNetwork chose to continue draining the pool in order to protect users pouring into the added fund pool from potential attackers. At 6:16 on November 4th, GalaGames and pNetwork chose to stop draining the flow pool. So far, pNetwork has recovered 12977BNB in the draining pool behavior. At 7:03 on November 4th, Huobi shut down the Gala recharge function on the BNB chain.
According to the analysis report disclosed by pNetwork, the pGala contract hacker mentioned above without the knowledge of SlowMist was the official pNetwork. pNetwork’s additional issuance of worthless pGala tokens was due to a misconfiguration of GALA’s pNetwork cross-chain bridge, which caused a risk exposure of US$400,000.
Haotian, a blockchain security practitioner, tweeted that the pNetwork project team lacked common sense with regard to DeFi security, and injected excess liquidity into the ecosystem without completely eliminating potential hazards, which was too hasty and irresponsible. Afterwards, the possibility of potential insider operations was not accounted for. Instead, it mediated between Huobi and GALA to shirk responsibility and assign blame. It is understandable and not an exaggeration to say that it was the instigator.
The Gala project party, as the directly related party between pNetwork and the centralized exchange, failed to convey the information accurately (the GALA team confirmed that Binance closed the deposit and withdrawal of GALA on the BNB chain, but did not confirm the closure of the deposit and withdrawal with the docking team of Huobi Global). pNetwork’s conduct is extremely harmful to users, which shows that the Gala team does not take token holders seriously.
At the same time, users began to move bricks for arbitrage until Huobi shut down the Gala recharge on the BNB chain for up to 3 hours, which showed that the security and risk management measures of the Huobi platform are insufficient.
pNetwork and Huobi to go to court, Huobi promises to pay users $6 million
The latest pGala additional issuance incident affected the community in various ways. Some users profited handsomely via arbitrage, while others suffered losses. According to data on Lookonchain, a Smart Money address purchased 406 million GALA from the PancakeSwap pool for US$120,380 20 minutes after the GALA attack, and earned US$5.79 million and US$675,000 from Huobi and Binance respectively. The question then arises as to who victims can turn to in the case of financial losses.
Addressing this issue, Huobi issued a statement on the evening of November 6th, 2022. In the statement, Huobi stated that pNetwork’s behavior was not the purported white hat operation it claimed to be, but a malicious hacker attack conducted for profit.
Firstly, Huobi stated that while pNetwork did use its own single-line contact channel to communicate with the exchange, but the message did not indicate that pNetwork was preparing to attack vulnerabilities, let alone that pNetwork would issue a large amount of 55.6 billion GALA tokens into the market within a space of 50 minutes. This action resulted in serious consequences, as innocent users and exchanges suffered heavy losses.
According to analysis from Slowmist, the misconfiguration of the cross-chain bridge mentioned by pNetwork above was actually carried out by the owner of the private key with administrative rights for the pGALA proxy contract that had been leaked on Github, and this owner address had been maliciously replaced 70 days ago, resulting in the pGALA contract being vulnerable and at risk of being attacked. pNetwork had deliberately concealed this fact from Huobi.
In addition, according to the post-event analysis report released by pNetwork, the community had been publicly reminded not to buy Gala tokens on the BNB chain. Specifically, the pNetwork team had requested that users not move tokens for arbitrage upon observing the large price differences between the chain and the exchanges.
Had opportunistic investors ignored pNetwork’s reminder and seized the change to arbitrage and profit handsomely? Had the pNetwork team been an individual investor, would they have let the arbitrage opportunity pass?
Secondly, Huobi believes that there is no evidence that anyone would exploit the vulnerability in pNetwork to launch an attack, and it was pNetwork itself THAT was eager to exploit this vulnerability for profit. The vulnerability has existed for 67 days, which was a sufficient amount of time to evaluate potential security solutions, but the pNetwork team had eagerly chosen to actively exploit the vulnerability within 50 minutes and issue 55.6 billion tokens to drain the liquidity pool.
The pNetwork team may have been eager to solve the problem, but because there had been no attacks since the vulnerability had been discovered 67 days ago, the team could have calmly come up with a more comprehensive solution instead of one that put the market at risk.
Moreover, Gala on the BNB chain was originally a token for pledge mapping. According to past experience, the team can completely replace the token contract and discard the token contract with risks. Should pNetwork’s have been transparent about its intentions, the community would have been able to understand and emphatize. There was no need to solve the problem by draining the assets in the liquidity pool through additional issuance – an action that is extremely risky and harmful to the market.
Thirdly, Huobi believes that pNetwork’s argument that the additional issuance of up to 55.6 billion Tokens was to arbitrate a liquidity pool worth about US$400,000 that was at risk of being attacked is groundless. Huobi believes that pNetwork’s intention was to profit from market turbulence, that pNetwork was using the “white hat attack” as a guise to carry out hacking attacks to avoid legal sanctions.
Furthermore, pNetwork’s official analysis report disclosed that the 12,977 BNB (worth about US$4.5 million) in assets recovered by the pool would be returned to the unincorporated Holders who had pledge dpGALA, in a snapshot that was taken at 16:00 on November 7th, 2022. Such actions do not seem to correspond to claims that it had been a white hat attack.
However, pNetwork mentioned in its post-event analysis report that a total of 55.6 billion Gala tokens had been issued twice. According to the GALA price of US$0.04 at that point in time, 55.6 billion Gala tokens were worth to US$2.2 billion. pNetwork’s had issued additional Gala tokens worth US$2.2 billion for a liquidity pool with a potential risk of US$400,000. It would be difficult for the community to comprehend the logic behind such a course of action. Moreover, the method of privately issuing additional tokens is not in line with the spirit of the blockchain.
Regarding Huobi’s statement, pNetwork officially tweeted that it condemned Huobi’s false accusations against pNetwork and would take appropriate legal action to counter Huobi’s claims. pNetwork said that there is evidence to prove that its actions were conducted in good faith, and all actions had been agreed upon with GalaGames in advance.
In response to pNetwork’s response, Huobi told PANews that pNetwork’s response was false and weak in nature. Huobi countered that pNetwork had exploited the GALA token loophole by issuing a large number of tokens, completely concealed its attack behavior from the exchange, and had only contacted the exchange within the space of an hour. During the attack, 55.6 billion tokens had been issued by exploiting contract loopholes. During this period, the exchange was not given any time to respond, nor did pNetwork confirm with the exchange whether relevant measures had been taken to ensure asset security. Huobi Global has kickstarted legal procedures and intends for pNetwork to bear legal responsibility for its actions.
In addition, on the evening of November 9th, 2022, Justin Sun, a member of the Huobi Global Advisory Committee, said in the TS event “Entry Full Moon, Brother Sun’s Work Report” held by PANews that during the GALA incident, the recovered funds were worth about US$4 million, which had returned on-chain.
US$6 million in funds will be directed toward airdrop compensation to users who have suffered losses, and the remaining funds will be used to repurchase and destroy PGALA tokens. All compensation from pNetwork will be used to toward compensating users who have suffered losses on the platform.
Reflection: Early warning safety mechanisms need to be strengthened
This incident was caused by pNetwork engineers leaving the key in the contract, which compromised security. pNetwork chose to overcome this security risk by issuing additional GALA tokens to drain the liquidity pool. Such a solution was extremely risky, and, due to poor communication, Huobi did not shut down deposits and withdrawals of GALA in time, which caused a large-scale impact.
The pNetwork and Gala projects are majorly responsible for this incident, which led to user losses and an erosion of confidence in the community. pNetwork were clearly aware that this vulnerability had existed for two months and had not been exploited, but did not carefully consider a comprehensive solution. Instead, it chose a high-risk solution that violated the spirit of the blockchain and was likely to cause large-scale damage to users. As an insider, the Gala project party chose to actively enable this high-risk behavior instead of investigating the root cause and providing a viable solution.
However, the security emergency response and risk control systems on the Huobi platform were extremely ineffective. When seeing the price difference on the chain, users in the community would definitely be aware of the arbitrage opportunity. How could Huobi, as a first-tier exchange, not know?
Therefore, although the communication with pNetwork was not effective, Huobi would have had enough time to halt the recharge function in order to reduce the number of affected users.
A user that has suffered losses can only approach pNetwork, the main responsible party that kickstarted the incident, to reach a solution regarding loss reduction. This is a security crisis caused by a loophole in the smart contract, but it is more pertinent than any code loophole, and blockchain project parties should pay attention to it.
As Hao Tian, a blockchain security practitioner, said: Security companies that specialize in early warnings and detections in security incidents were collectively absent from this Gala event. Security audits and services can check for code defects, but it is difficult to fight against the potential “man-made disaster” crisis created by industry ecological participants eager to profit from a quick buck.
Disclaimer: This is a press release post. Coinpedia does not endorse or is responsible for any content, accuracy, quality, advertising, products, or other materials on this page. Readers should do their own research before taking any actions related to the company.
Source: https://coinpedia.org/press-release/with-an-additional-us2-billion-issued-for-us400000-who-will-take-responsibility-for-the-loss-of-users-in-the-gala-incident/