Introduction
On 22nd January 2024 at 6:31 UTC, Gamee token ($GMEE), an on-chain gaming platform on the Polygon network, suffered an attack where the project’s Polygon GMEE deployer address appeared compromised via unauthorized GitLab access, resulting in the loss of approximately 600 million $GMEE tokens worth $15 million. This was followed by transfers in ETH, MATIC, $GMEE, and USDC due to unauthorized access to the deployer key.
Summary
The attacker cleverly exploited the recoverERC721s() function, bypassing the $GMEE recovery protection typically applied in the recoverERC20s() function. This unfortunate event drained 600 million $GMEE tokens from the contract. The exploit affected the proprietary team token reserves; according to the team, no user reserves were exploited.
The Attack
The exploit began with the attacker gaining unauthorized access to the Gamee deployer key. This key grants control over the protocol’s core functions and gives the attacker administrative privileges. The specific method by which the attacker obtained the key remains under investigation.
Exploiting the Recovery Flaw
Once the attacker had the deployer key, the attacker exploited a security gap in the recoverERC721s() function. This function was designed to retrieve accidentally deposited NFTs but lacked the robust recovery protocol applied to the recoverERC20s() function, which protected GMEE tokens. The attacker used this discrepancy to bypass security measures and gain access to a large pool of GMEE tokens.
Draining the Contract
In addition to the flaw noted above, the attacker exploited a missing allowance check in the _transferFrom() function called via recoverERC721s() to transfer the stolen tokens from the protocol. Typically, this function requires pre-approval from the token owner before transferring. However, the custom implementation of _transferFrom() in the Gamee protocol omitted this essential security check. This allowed the attacker to transfer the stolen $GMEE tokens without authorization.
A look at the hacker wallet using Etherscan.
Impact and Mitigation
The exploit resulted in the loss of approximately 600 million $GMEE tokens, causing significant financial losses for the team and impacting the token’s price. The Gamee team responded by changing the ownership of token contracts to a secure address, stopping liquidity provision, and commencing legal actions. The Gamee token team stated on Twitter that they are starting a security audit — conducting a full security review of all existing procedures and contracts.
Lessons Learned
The Gamee exploit highlights the importance of several critical security practices in the DeFi space:
Thorough code audits
- Rigorous audits by independent security experts are crucial for identifying and addressing vulnerabilities before they can be exploited.
Robust security measures
- DeFi protocols should implement layered security measures at all code levels, including access controls, transaction verification, and smart contract security best practices.
About Olympix
Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.
Join our beta program to fortify your smart contracts and proactively shield them from exploits in the evolving Web3 security landscape.
Connect with us on:
Twitter | LinkedIn | Discord | Medium | Instagram | Telegram | Substack
