Loopring suffers $5 million hack after 'Guardian' two-factor authentication service is compromised

Loopring LRC -4.76% , the zkEVM protocol built on Ethereum with a website that bills its smart wallet application as "Ethereum's most secure wallet," suffered a security breach related to its 'Guardian' two-factor authentication service, the protocol announced on Sunday. 

Through the Guardian service, users can elect to name wallets of trusted individuals or institutions to assist in security operations such as locking a compromised wallet or restoring one if the seed phrase is lost. However, a hacker managed to bypass Loopring's own Official Guardian service to instigate recoveries on wallets with that single guardian without the users' permission, Loopring disclosed in its announcement. As more than half of guardians are needed to instigate transactions, according to Loopring's website , wallets that used multiple guardians or a different, third-party guardian were protected from the exploit. 

Loopring also shared two wallet addresses the protocol says were involved in the security breach. Blockchain data shows one wallet was able to drain about $5 million worth of tokens from the affected wallets. 

"We are actively collaborating with Mist security experts to determine how our 2FA service was compromised. To protect our users, we have temporarily suspended Guardian-related and 2FA-related operations. Following this action, the compromise has ceased," the protocol wrote in its announcement on X. Loopring was unable to be immediately reached for comment by The Block. 

Loopring also reported that it's working with law enforcement to trace the perpetrator and requested that anyone with additional information about the hack share it with the protocol. 

While the attack was likely a surprise for the team, Loopring's risk disclosure statement identifies a compromise to its Guardian service as a potential attack vector, and recommends users identify at least three guardians. "After your Wallet is created, we will add Loopring Official Guardian service to your Wallet by default. As a centralized service, Loopring Official Guardian may be attacked and controlled by hackers," Loopring's website reads . 

Loopring's native token has fallen about 5% in the last 24 hours following the protocol's disclosure of the hack, according to The Block's Price Page .