PlayDapp Exploit—Feb Ninth-Twelfth, 2024 —Detailed Evaluation Report


PlayDapp, a widely known South Korean crypto gaming and NFT platform working on Ethereum was exploited twice between February Ninth and Twelfth, 2024. The exploit resulted in a staggering lack of $290 million.

The proof signifies a non-public key breach, permitting the addition of a brand new minter to PlayDapp shortly earlier than the assaults occurred. The attacker efficiently minted 1.79 billion PLA tokens on two separate events. Nevertheless, they may solely convert $32 million of the initially stolen funds. To obscure their tracks, the attacker scattered the funds throughout numerous EOAs and chains.

About PlayDapp

PlayDapp is a well-liked gaming platform and NFT market. Its major objective is to transition non-crypto customers into blockchain-based avid gamers by providing an in depth gaming and crypto community.

On the PlayDapp platform, video games are primarily supplied as NFTs (non-fungible tokens), which customers can straight buy from others on the blockchain-based platform. PLA serves as the principle token for transactional actions on PlayDapp. Moreover, recreation builders obtain PLA when customers make in-game purchases.

Established in Seoul, Korea, in 2017, PlayDapp was based by Sung-Wone “Moshua” Choi. Choi, acknowledged because the founding father of PlayDapp, additionally holds the place of CEO at SuperTree, a writer of metaverse content material platforms.

Root Reason for the Hack

The basis trigger behind the PlayDapp loss is a non-public key exploit. A personal key exploit happens when an unauthorized particular person good points entry to the non-public cryptographic key of a person or platform. Within the context of cryptocurrency, notably Ethereum-based platforms like PlayDapp, the non-public key’s basically the key code that permits people to entry and handle their digital belongings, corresponding to tokens or cryptocurrencies.

Attacker’s EOA addresses:

  • Preliminary Tackle: 0xD151050d43c28690766f50Ce9ea8686c5D243a40
  • EOA/2: 0x1cae9eAa76E880fe47A26dd838E5Ec056C289155
  • EOA/3: 0xe84d086f2c402d297d05b1bccc06d0e0942ec03c
  • EOA/4: 0x23cAeE3666b553445e430D1635AD64fBF388B07d

Sufferer contract: 0x3a4f40631a4f906c2bad353ed06de7a5d3fcb430

Detailed Technical Evaluation

Following is the sequence of occasions that unfolded in the course of the hacking incident:

Assault Transactions (Etherscan)

  • Tx1: 0xe8be05f6a3360f63b9e78a30b4ba16ea4c7d0b530a8abf99390f1c831851fb7e
  • Tx2: 0xc41687511e31f5612b73647c4b39e500e45dbfb2ae66789b7b8705d2336002f8
  • Tx3: 0x5f73c86a516616e25b3d13188f3289472d22a06cb1029ff174e00596a97e13b9
  • “Add Minter” Tx4: 0xe834f28377b79759ac5495a91975a01e0876af9aae312228c1ac525846406170

The deal with of the contract deployer was reportedly compromised, allegedly as a consequence of a non-public key exploit.
The compromised and unauthorized pockets then added the attacker’s deal with as a minter for the PLA Token.

In the course of the first assault on February Ninth, over 200 million PLA tokens had been minted, valued at $36.5 million. This quantity represented 72% of the overall provide initially minted.

Within the subsequent assault on February Twelfth, an extra 1.59 billion PLA tokens had been minted, valued at $253.9 million at the moment.

Stolen Fund Circulation

The hacker might solely convert $32 million of the stolen tokens as a result of appreciable problem posed by the massive variety of newly minted tokens. With the overall circulating provide of PLA at $577 million earlier than the exploit, promoting such a considerable quantity, particularly at pre-hack market charges, presents a major hurdle. The hacker minted 72% of the overall provide initially minted.

After the exploit, a substantial variety of tokens nonetheless reside with the attacker. The stolen tokens had been dispersed by means of numerous transactions:

  • 0x964837f1cffd9d54aae2d8a2083a8927219095ff7857194865b65b1d32669414
  • 0x1cb750dfcd6a425eac3013a4b0994eaa719d5e6824196fe3c06dafe4b6fa55a2
  • 0xfae62c49a680b22bc4f591cff9af57e86d5219f667307e3a06b96c77b417eba4

Hack Aftermath

Following the exploit, PlayDapp contacted the exploiter and prolonged a $1 million white hat reward for the secure return of the stolen belongings by February 13.

Message from PlayDapp to the hacker: 0xb8c379f3ae8ea3ba48cdb7dac79c9b995f0e7a372a8bf9d620a6bfc875a31628

Earlier than the exploit, the overall circulating provide of PLA tokens stood at $577 million. Following the breach, the PLA token plummeted in worth, buying and selling 0.4% decrease at roughly $0.14, marking a decline of over 15% in that week.

On February 13, 2024, PlayDapp halted the PLA sensible contract to seize a screenshot for migration amidst the continuing hacking scenario.
Coinbase halted PLA token buying and selling after the platform’s sensible contract was paused.
The worth of the PLA token underwent fluctuations, dropping considerably after the breach, but exhibiting a restoration afterward.

Mitigation Steps

Mitigation steps for the exploit on PlayDapp might embrace:

Enhanced Safety Measures:
Enhancing safety protocols for personal keys and guaranteeing their safe storage.
Implementing multi-signature wallets requires a number of approvals for vital transactions.

Common Safety Audits:
Conducting routine safety audits and penetration testing to establish vulnerabilities.
Partaking third-party cybersecurity companies to evaluate the platform’s safety posture.

Improved Monitoring and Detection:
Introducing real-time monitoring instruments to establish irregular exercise or unauthorized entry.
Organising alerts for any suspicious transactions or adjustments to important methods.

Implementing Delayed Minting or Switch:
Introducing a delay mechanism for minting or transferring tokens, permitting time for validation and verification.
This will forestall the fast exploitation of any compromised accounts.

Emergency Response Plan:
Creating a complete incident response plan to handle any safety breaches swiftly.
Clearly defining roles and tasks for responding to safety incidents.

By implementing these mitigation steps, a protocol can bolster its defenses towards comparable exploits, defend person funds, and preserve belief inside the crypto group.


The PlayDapp exploit, which occurred between February Ninth and Twelfth, 2024, concerned an attacker having access to the contract deployer’s deal with by means of a non-public key exploit.

This allowed the attacker to mint 200 million PLA tokens value $36.5 million initially and later an extra 1.59 billion PLA tokens value $253.9 million. PlayDapp supplied a $1 million white hat reward for the secure return of belongings, nevertheless, the attacker has refused. The attacker nonetheless holds a good portion of the stolen tokens as of the final identified replace.

Mitigation steps for a non-public key exploit contain securing keys, utilizing multi-signature wallets, and common smart contract security audits. Actual-time monitoring detects anomalies whereas educating customers, implementing transaction delays, and fascinating with the safety group to strengthen defenses. Prioritizing the strengthening of safety measures and educating the group is essential to forestall comparable incidents.

Author: ImmuneBytes
Date: 2024-03-19 05:43:58

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here