SlowMist: The Root Cause of the pGALA Event is that the Plaintext of the Private Key was Leaked on GitHub (Released in 2022)

3 min readMay 9, 2023

According to SlowMist Zone Intelligence, on Nov 4, 2022, an address on the BNB Chain minted more than $1billion in pGALA tokens and then sold some via PancakeSwap. This caused the price of pGala to briefly drop more than 20%. The SlowMist Security Team intervened and analyzed the situation promptly and shared the results as follows:

Related Information

pGALA contract address


proxyAdmin contract address


The original owner address of the proxyAdmin contract


The Current owner address of the proxyAdmin contract


Detailed Analysis

1. The pGALA contract uses the transparent proxy model, and it has three privileged roles, namely Admin, DEFAULT_ADMIN_ROLE and MINTER_ROLE.

2. The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE) , and the MINTER_ROLE role manages the pGALA token minting authority.

3. During this incident, the Admin role of the pGALA proxy contract was specified as the proxyAdmin contract address of the transparent proxy once the contract was deployed. Meanwhile, the DEFAULT_ADMIN_ROLE and MINTER_ROLE roles were controlled by pNetwork during initialization. The proxyAdmin contract was also controlled by the owner role, which was an EOA address and could upgrade the pGALA contract through proxyAdmin.

4. However, the plaintext private key for the proxyAdmin contract’s owner address was exposed on Github, allowing any user with access to this private key to control the proxyAdmin contract and upgrade the pGALA contract at any time.

5. This resulted in the owner address for the proxyAdmin contract being replaced 70 days ago (2022–08–28), and another project called pLOTTO, was also suspected to have been attacked.

6. Due to the nature of the transparent proxy, only the proxyAdmin contract could initiate the replacement of the Admin role for the pGALA proxy contract. Once the owner’s permission on the proxyAdmin contract was compromised, the pGALA contract became vulnerable to an attack.


To sum up, the root cause of the pGALA event is that the owner private key of the Admin role of the pGALA agent contract was leaked on Github, and its owner address was maliciously replaced 70 days ago. As a result, the pGALA contract was at risk of being attacked at any time.


About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken,, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.





SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.