On March 20, GameFi project Gala Games announced it had recently filed a lawsuit against pNetwork, the cross-chain interoperability bridge used by Gala on the BNB Smart Chain. In November 2022, Gala Games was exploited after an unauthorized wallet address minted over $2 billion in GALA (GALA) and dumped the tokens on PancakeSwap, draining $4.5 million from the liquidity pool and causing a substantial plunge in GALA’s token price.
The lawsuit alleges that the incident was the result of “negligence and tortious interference” from pNetwork. On Nov. 7, 2022, blockchain analytics platform SlowMist alleged that the incident may have stemmed from a plain text private key leak in one of three pNetwork affiliated smart contracts on Gala. The leaked private key, as told by SlowMist, was publicly viewable on GitHub.
“The lawsuit states that (i) pNetwork admitted that it mistakenly leaked a governance key when deploying this pGALA bridge, which such key was later used by an attacker to breach the pGALA contract on the BNB chain.”
In a statement to Cointelegraph, a representative for pNetwork stated:
“As the pNetwork team, we would like to express our genuine surprise and concern upon hearing the recent announcement by the GALA Games Project to sue pNetwork. We would like to clarify that, three months ago, we had already submitted a comprehensive report to the Swiss authorities detailing the entire incident.”
The representative said the report includes full conversations and relevant documentation and alleged that the Gala Games team deleted messages in “their role in planning, supporting, and communicating the so-called white hat intervention.” PNetwork reiterated: “We have been fully transparent and cooperative with the authorities in this matter, and we firmly believe that the truth will come to light.” Shortly after the incident, pNetwork claimed that its activity during the exploit was a “white hat move.” The statement has been challenged by cryptocurrency exchange Huobi Global.
Gala Games claims the alleged breach led to over $25 million in damages and is seeking $27.7 million from pNetwork for “out-of-pocket costs due to the breach, additional compensation for injuries, punitive damages and other relief.”
“In the event that the suit succeeds, Gala has stated that any damages, less legal fees, will be converted to $GALA and burned. Gala is also aware of the damage that pNetwork’s actions caused many other third-parties, and invites these other injured parties to contact the legal team.”
In a post-mortem analysis dated Nov. 5, 2022, pNetwork stated that a “misconfiguration of the pNetwork-powered bridge for the GALA token” was noticed by the developer team and that “the ownership of the pGALA smart contract (deployed on BSC) had been covertly taken over due to the misconfiguration”:
“Loss of ownership over the token smart contract opens up the possibility for the attacker to mint new tokens and to alter pGALA at will.”
Furthermore, pNetwork wrote:
”No hack was actually performed by whomever currently retains ownership of that smart contract (from now on, the ‘attacker’), but the situation highlighted a high security risk that had to be promptly mitigated.“
Gala also alleged that on Nov. 5, 2022, pNetwork devised a plan to return in full “the BNB assets collected from the whitehat draining of the pool” but allegedly did not proceed with the plan in a follow-up on Nov. 11, 2022. In a Telegram post, pNetwork said the first part of its recovery plan involving GALA tokens “has been completed” but the second part involving BNB (BNB) tokens “is still on hold.”
“We had a first meeting with the Swiss authorities (‘Ministero Pubblico’ of Lugano, Switzerland) to discuss the incident on February 8th. The discussion is still ongoing and we expect some progress to be made in the coming weeks.”
None of the allegations have been substantiated in a court of law. PNetwork stated that it “will continue to work closely with the Swiss authorities and provide any further information as needed in order to resolve this issue in the best interests of all parties involved.”