96 private keys stolen from Vulcan Forged in $140 million theft December 13, 2021 by Tim Copeland
Quick Take
Vulcan Forged is a crypto gaming ecosystem, which creates wallets on behalf of its users.
When someone registers an account with Vulcan Forged, the platform creates a set of blockchain wallets for them on the Ethereum, Polygon and VeChain blockchains. Rather than have the user manage their own private keys, the platform does so on their behalf.
"Venly Servers or Solutions have not been compromised. The Venly team is actively helping the Vulcan Forged team with data analytics to help them understand and recover from this unfortunate event. Official communication will follow soon." said Venly CEO Tim Dierckxens.
Dumping the tokens on Uniswap
The 96 wallets that were affected contained 4.5 million PYR, worth $140 million at the time of the attack. That’s 9% of the project’s total supply of tokens, according to CoinGecko, and 23.7% of the circulating supply. Other assets including ether (ETH) and polygon (MATIC) may have also been taken.
After the exploit was discovered — but before it was announced — Vulcan Forged told its community to remove funds from the liquidity pools on decentralized exchanges. This would make it harder for the attacker to cash out the funds, without using centralized exchanges where they might need identity documents.
Despite this, the attacker has sold significant amounts of PYR for ETH, selling small batches of tokens at a time. But they still have 2 million PYR (currently worth $47 million) sitting untouched in one wallet.
This selling pressure has dropped the price of PYR. It was at $31 prior to the attack and is now at $24 — down 22%.
Vulcan Forged has said the project’s treasury will send out PYR and Vulcan Forged’s LAVA tokens to those affected. They will need to set up accounts with MetaMask and will receive the tokens there. Anyone who had ETH or MATIC stolen will receive the equivalent amount in PYR. So far, half of the funds have been reimbursed.
“We have contacted all exchanges to blacklist that address. It also seems the wallet owner may have KYCd [completed Know Your Customer checks] on an exchange we’re now in contact with,” tweeted Vulcan Forged.
It added that it is removing what it described as a semi-custodial solution from the Vulcan Forged ecosystem — meaning that in the future, its users will need to look after their own private keys.