The attacker managed to compromise Loopring’s 2FA service.
Loopring, an Ethereum Layer 2 network, reported a security breach on Sunday that resulted in the loss of $5 million worth of tokens.
Hackers exploited Smart Wallets which relied on a single Guardian, specifically targeting the Loopring Official Guardian.
“The attack succeeded by compromising Loopring’s 2FA service, allowing the hacker to impersonate the wallet owner and gain approval for the Recovery from the Official Guardian,” Loopring tweeted. “Subsequently, the attacker transferred assets out of the affected wallets.”
Loopring describes its Smart Wallet as the “most secure Ethereum wallet,” which supports social recovery, multi-signature security, and integration with Layer 2 solutions.
The Guardian service allows users to designate trusted wallets for security actions such as locking compromised wallets or restoring access if the seed phrase is lost. In this breach, the hacker bypassed the official Guardian service and was able to impersonate wallet owners to initiate recovery processes.
In response to the attack, the company said it has temporarily suspended all Guardian-related and 2FA-related operations to prevent further breaches.
Loopring has also shared two wallet addresses that it claims were used in the attack. Blockchain data reveals that one of these wallets drained around 1,373 ETH, worth $5 million.
Loopring’s native token, LRC, dropped 2% on the news.
Surge in Smart Wallet Adoption
Smart Wallets have been gaining traction after ERC-4337 enabled account abstraction on the Ethereum mainnet. The update allows users to customize their wallets for specific needs, including automated transactions, multi-signature wallets, and social recovery.
Introduced in September 2021 by Vitalik Buterin, ERC-4337 has brought new Smart Wallet capabilities. Buterin promoted features like “social recovery,” which eliminates recovery phrases.
Before ERC-4337, some companies had already pioneered their own smart wallet functionalities. Loopring and Argent, for instance, developed their own Smart Wallets back in 2020. More recently, Coinbase launched its Smart Wallet.
While Smart Wallets improve functionality and provide a better user experience (UX), they also come with new risks and attack vectors that traditional externally owned accounts (EOA) wallets don’t face.
In April, when EIP-3074 was approved for inclusion in Ethereum’s next major upgrade, Pectra, several key figures in the Ethereum community warned that these capabilities could make wallets more vulnerable to scams.
“It should allow a scammer to drain your entire wallet with a single off-chain signature,” warned Itamar Lesuisse, the co-founder of Argent, a Starknet wallet provider. “I expect this will be a major use case.”
