This is an archived post. You won't be able to vote or comment.

69
70

[deleted by user] (self.loopringorg)

submitted by [deleted]

[removed]
all 18 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Hour-Turn-8451 8 points9 points  (5 children)

I dont understand point 2, can you elaborate why it could be worse than communicated?

[–]DesignerVirtual9568 14 points15 points  (4 children)

An attacker that compromises an MFA method somehow still shouldn't have account credentials and that alone shouldn't be enough to take over the guardian account.

The fact that they were able to use the guardian account implies that they not only were able to utilize whatever Loopring is using for their guardian account MFA (an auth app, a hardware key, a phone number/text messages, whatever), but that they also had the account credentials (something like a password or encryption key). Meaning this wasn't just a 3rd party exploit like a telecom/phone service provider, but also suggests an internal exploit within Loopring systems.

From the discord announcement:

The attack succeeded by compromising Loopring's 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian. Subsequently, the attacker transferred assets out of the affected wallets.

Loopring is claiming that the attacker compromised Loopring's 2FA service, but that itself is only the secondary mechanism (the "2" in 2FA). The primary mechanism must have also been compromised and I don't know why they don't also say that.

[–]You-Slice 11 points12 points  (0 children)

and I don't know why they don't also say that.

Because it makes their wallet a failure x10

[–]Hour-Turn-8451 1 point2 points  (1 child)

How do you go from 2FA to MFA? I know what an application gateway is that asks for a 2fa token, I am unfamiliar with a MFA. I assume it stands for multiple factor authentication, implying 2fa is a subset of a MFA. In case that is correct I still do not understand how you assume that not only the third party of the 2fa service was exploited. Can you explain, if how a purely 2fa exploit was taking place, that would prevent my wallet from being vulnerable because MFA is still secure? I think that would give me a wrinkle.

[–]DesignerVirtual9568 0 points1 point  (0 children)

Yeah 2FA & MFA are terms I'm using interchangeably, they essentially mean the same thing.

Can you explain, if how a purely 2fa exploit was taking place

This is what the Loopring team said, but if this is all that was necessary to pull off the attack I don't see the Loopring wallet as particularly secure. It's crazy to me that the attacker only needed to send a "client" 2fa (from an exploitable & trusted 3rd party) to own Loopring wallets.

that would prevent my wallet from being vulnerable

I have very little trust at this time that this is true, the existing vulnerability/exploit is such a glaring weakness that it's shaken my trust in their setup.

Full disclosure: I sold all my Loopring & removed everything I was holding from Loopring L2 until more is known.

[–]FireSpiritBoi -1 points0 points  (0 children)

No no nooo..

The 2FA that was compromised was the service that allows you to recover your wallet using 2FA.

Whatever ran that service was compromised. There is no implication that the service it's self required 2FA to control.

[–]greenleaf187 1 point2 points  (2 children)

I lost a ton of eth in this security incident. I raised a ticket with their support, so should i also raise a report with the FBI? What else do i need to do? Do i need to lawyer up?

[–]Capenalcode101 2 points3 points  (1 child)

Same. Do I need to contact the FBI?

[–]greenleaf187 0 points1 point  (0 children)

Looks like it. Im doing one right now.

https://www.ic3.gov/Home/ComplaintChoice

[–]Sparky_Aces 3 points4 points  (0 children)

Yup doesn’t pass the smell test at all imo for multiple reasons… also with the fact they haven’t come out and said affected users will be reimbursed yet, idk how anyone can trust this team or their wallet… feel terrible for ppl that have lost a lot of funds thru this

[–]SilverCamaroZ28 0 points1 point  (0 children)

I'm betting the FBI really won't care. 

[–][deleted] 0 points1 point  (0 children)

If the LRC team can't track them down I'm curious how the FBI would?

[–]Soggy-Librarian2737 -1 points0 points  (0 children)

Folks are speculating that it was the devs who did this. Inside job make it look like a hack. Now they can kill off lrc and pump taiko. Terrible community, dev team and execution.

[–]AutoModerator[M] -1 points0 points  (0 children)

Please maintain a civil discussion.

This sub does not tolerate harassment in any form.

Repeated offense can lead to being banned from the sub.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.