Earlier today, 96 private keys were stolen from the crypto gaming ecosystem Vulcan Forged, enabling the attacker to siphon off $140 million in cryptocurrency.
Vulcan Forged offers a smorgasbord of crypto activities. It is primarily a game studio, offering six different blockchain-based games. But it also has an NFT marketplace and its own decentralized exchange, where users can trade its token PYR.
When someone registers an account with Vulcan Forged, the platform creates a set of blockchain wallets for them on the Ethereum, Polygon and VeChain blockchains. Rather than have the user manage their own private keys, the platform does so on their behalf.
According to the project’s own wiki, it works with wallet management service Venly (formerly Arkane Network) to create its wallets — a service also used by Atari, Matic and the Blockchain Game Alliance.
In Venly’s Discord channel, Lawrence Pluym, head of community at Venly, said it’s undergoing an audit to check whether only Vulcan Forged wallets were affected.
Dumping the tokens on Uniswap
The 96 wallets that were affected contained 4.5 million PYR, worth $140 million at the time of the attack. That’s 9% of the project’s total supply of tokens, according to CoinGecko, and 23.7% of the circulating supply. Other assets including ether (ETH) and polygon (MATIC) may have also been taken.
After the exploit was discovered — but before it was announced — Vulcan Forged told its community to remove funds from the liquidity pools on decentralized exchanges. This would make it harder for the attacker to cash out the funds, without using centralized exchanges where they might need identity documents.
Despite this, the attacker has sold significant amounts of PYR for ETH, selling small batches of tokens at a time. But they still have 2 million PYR (currently worth $47 million) sitting untouched in one wallet.
This selling pressure has dropped the price of PYR. It was at $31 prior to the attack and is now at $24 — down 22%.
Vulcan Forged has said the project’s treasury will send out PYR and Vulcan Forged’s LAVA tokens to those affected. They will need to set up accounts with MetaMask and will receive the tokens there. Anyone who had ETH or MATIC stolen will receive the equivalent amount in PYR. So far, half of the funds have been reimbursed.
“We have contacted all exchanges to blacklist that address. It also seems the wallet owner may have KYCd [completed Know Your Customer checks] on an exchange we’re now in contact with,” tweeted Vulcan Forged.
It added that it is removing what it described as a semi-custodial solution from the Vulcan Forged ecosystem — meaning that in the future, its users will need to look after their own private keys.
For more breaking stories like this, make sure to follow The Block on Twitter.