Loopring blockchain protocol hit by $5 million hack after 'Guardian' MFA service compromised

Loopring LRC, a zkEVM protocol built on Ethereum and known for its smart wallet application, has been hit by a security breach involving its 'Guardian' two-factor authentication service. The Guardian service allows users to designate trusted wallets for security tasks such as locking compromised wallets or restoring lost seed phrases. Unfortunately, a hacker bypassed Loopring's Official Guardian service, initiating unauthorized recoveries on wallets with this single guardian.

Loopring (LRC) is a decentralized finance (DeFi) protocol designed to facilitate the creation of decentralized exchanges (DEXs) on the Ethereum blockchain. It employs zkRollups, a scaling solution that uses zero-knowledge proofs to bundle hundreds of transactions into a single transaction, significantly reducing costs and increasing transaction speeds.

According to Loopring, the exploit did not affect wallets using multiple guardians or third-party guardians, as more than half of the guardians are required to authorize transactions. The protocol identified two wallet addresses involved in the breach, with one wallet draining approximately $5 million worth of tokens.

In response, Loopring has temporarily suspended Guardian-related and 2FA operations and is collaborating with Mist security experts to investigate the compromise. Loopring is also working with law enforcement to track the perpetrator and has requested assistance from anyone with information regarding the hack.

The hack exposed wallet addresses and enabled the theft of tokens valued at approximately $5 million. The number of affected individuals is not disclosed.

Loopring's website acknowledges the potential risk of its centralized Official Guardian service being targeted by hackers and advises users to set at least three guardians for enhanced security.