Solana-Based Aurory Suffers Devastating Hack, Loses 80% Liquidity

Solana-based Aurory, the Pokemon-like battler game, fell victim to a devastating hack in which the attacker stole around 600,000 AURY tokens worth around $830,000 at the time of the exploit. 

The hack, which targeted the SyncSpace Aurory bridge, saw Aurory lose 80% of its liquidity from its AURY-USDC pool, which was reduced from $1.5 million to $312,000. 

Details Of The Hack 

Aurory developers have disabled the SyncSpace blockchain bridge that connects the game to the Ethereum scaling network Arbitrum and the Solana ecosystem. Jonathan Campeau, the executive producer at Aurory, stated that the Aurory team is currently working on a fix and will release a global patch for its backend services as it looks to resolve the problem. 

“It was a race condition attack on our off-chain marketplace. The user was able to send several buy purchase requests simultaneously, the seller received twice the amount, and the buyer was debited only once.”

The Aurory team released an official statement on the 17th of December, disclosing details about the hack. According to the statement, the team detected unusual activity on their marketplace and initiated an investigation. The investigation revealed that a hacker had exploited the marketplace’s buy endpoint. The exploit allowed the hacker to inflate their AURY token balance in SyncSpace, allowing them to withdraw nearly 600,000 tokens to the Arbitrum network. Following this, the attacker liquidated the stolen amount, selling it in the market. 

“Just a few hours ago, our team detected unusual activity on our marketplace. After quickly investigating, we discovered that a bad actor was able to exploit our marketplace’s buy endpoint, allowing them to increase their $AURY balance in SyncSpace. This allowed them to withdraw around 600k tokens to the Arbitrum network, which they then proceeded to market sell into our bids, liquidating the full amount of their theft.”

The team also revealed it had disabled the SyncSpace bridge, adding that users could not deposit or withdraw assets until the bridge is back online. 

“We’ve disabled SyncSpace for maintenance, meaning assets will not be able to be deposited or withdrawn while the maintenance is ongoing.”

80% Liquidity Lost

The exploit led to a staggering 80% drop in liquidity in the AURY-USDC pool on the Camelot decentralized exchange. The AURY token has also registered a significant drop in price and was down 17% following the news of the exploit, according to data from CoinGecko. However, the token did rebound, rising to around $1.15. The token is currently trading at $1.22, according to data from CoinGecko.

User Funds Secure 

The statement on X assured users that their funds remained secure, stating that the stolen funds came from a wallet that funds withdrawals for accounts that have not previously deposited AURY. The statement also added that the exploit is not ongoing, thanks to the disabling of the SyncSpace bridge. 

“No user funds or NFTs have been lost or are at risk. The $AURY that was taken came from a team wallet, which funds withdrawals for accounts that have not previously deposited $AURY. The exploit is not ongoing. With SyncSpace offline for maintenance, there is currently no risk of any further exploits.”

The team also confirmed that the attacker had exhausted their supply of AURY tokens. Additionally, the Aurory team also stated that it would be releasing a detailed postmortem of the exploit to determine how the vulnerability went undetected despite a recent expert audit. The Aurory platform had been audited by cybersecurity firm Ottersec, which did not flag the vulnerability that led to the exploit. According to Campeau, Aurory was told that such an attack does not fall within Ottersec’s scope.

SyncSpace was audited months ago by one of the best security firms in the industry. We will be investigating further to uncover how this bug went undetected despite an expert audit. A more in-depth post-mortem on the situation will be coming once we have completed our fix and finished our investigation. 

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.