Loopring’s ‘Guardian’ Smart Wallets Hacked for $5 Million

An attacker breached the 2FA authentication service, impersonated wallet owners and siphoned around $5 million from what Loopring markets as “Ethereum’s most secure wallet.”

Loopring, an Ethereum-based ZK-rollup protocol, disclosed that some of its smart wallets were compromised in a security breach on Sunday.

“The attack exploited wallets with only one Guardian, specifically the Loopring Official Guardian. The hacker initiated a Recovery process, falsely posing as the wallet owner to reset ownership and withdraw assets,” wrote the Loopring team on X.

“The attack succeeded by compromising Loopring’s 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian.” 

Loopring describes its smart wallets as “Ethereum’s most secure wallet” that unlocks the full potential of layer 2. These smart wallets function more like smart contracts as opposed to standard Ethereum wallet addresses. Users can opt to nominate “guardians” as an added layer of security for their wallets to assist with asset recovery in cases of stolen or misplaced seed phrases. 

These guardians can be other hardware or software addresses that belong to them, or an address of a trusted third-party like a friend, family member, or institutional service. Users have the freedom to add as many guardians as they want, but in the event of wallet recovery more than half the number of wallet guardians would need to collaborate to unlock the wallet. 

In this particular instance, the hacker targeted wallets with only one guardian, meaning those wallets that nominated multiple guardians were not victims of the exploit.

Blockchain security firm Cyvers identified the hacker’s address which holds over $5 million after swapping the stolen assets for ether. 

The Loopring team said it is collaborating with blockchain security firm SlowMist and other security experts to determine how its 2FA service was compromised. In the meantime, the team has temporarily suspended Guardian and 2FA related operations.

“Loopring is working with law enforcement and professional security teams to track down the perpetrator. We will continue to provide updates as soon as the investigation progresses,” said the Loopring team.