SlowMist: The Root Cause of the pGALA Event is that the Plaintext of the Private Key was Leaked on GitHub (Released in 2022)

SlowMist
3 min readMay 9, 2023

According to SlowMist Zone Intelligence, on Nov 4, 2022, an address on the BNB Chain minted more than $1billion in pGALA tokens and then sold some via PancakeSwap. This caused the price of pGala to briefly drop more than 20%. The SlowMist Security Team intervened and analyzed the situation promptly and shared the results as follows:

Related Information

pGALA contract address

0x7dDEE176F665cD201F93eEDE625770E2fD911990

proxyAdmin contract address

0xF8C69b3A5DB2E5384a0332325F5931cD5Aa4aAdA

The original owner address of the proxyAdmin contract

0xfEDFe2616EB3661CB8FEd2782F5F0cC91D59DCaC

The Current owner address of the proxyAdmin contract

0xB8fe33c4B55E57F302D79A8913CE8776A47bb24C

Detailed Analysis

1. The pGALA contract uses the transparent proxy model, and it has three privileged roles, namely Admin, DEFAULT_ADMIN_ROLE and MINTER_ROLE.

2. The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE) , and the MINTER_ROLE role manages the pGALA token minting authority.

3. During this incident, the Admin role of the pGALA proxy contract was specified as the proxyAdmin contract address of the transparent proxy once the contract was deployed. Meanwhile, the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were controlled by pNetwork during initialization. The proxyAdmin contract was also controlled by the owner role, which was an EOA address and could upgrade the pGALA contract through proxyAdmin.

4. However, the plaintext private key for the proxyAdmin contract’s owner address was exposed on Github, allowing any user with access to this private key to control the proxyAdmin contract and upgrade the pGALA contract at any time.

5. This resulted in the owner address for the proxyAdmin contract being replaced 70 days ago (2022–08–28), and another project called pLOTTO, was also suspected to have been attacked.

6. Due to the nature of the transparent proxy, only the proxyAdmin contract could initiate the replacement of the Admin role for the pGALA proxy contract. Once the owner’s permission on the proxyAdmin contract was compromised, the pGALA contract became vulnerable to an attack.

Summary

To sum up, the root cause of the pGALA event is that the owner private key of the Admin role of the pGALA agent contract was leaked on Github, and its owner address was maliciously replaced 70 days ago. As a result, the pGALA contract was at risk of being attacked at any time.

Reference: https://twitter.com/enoch_eth/status/1589508604113354752

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.