Loopring Shut Down Its DEX to Fix Massive Vulnerability Before it was Exploited; Funds SAFU
Loopring, a DEX built on Ethereum, may have exposed close to $5 million of the exchange’s funds but moved swiftly upon a notification by Starkware. The privacy and scalability oriented blockchain firm notified Loopring on May 7th that the platform’s account keys could have been compromised based on a vulnerability in the production of keypairs within the platform.
1/ We’ve discovered a severe security vulnerability in @loopringorg ’s frontend, which put the entire Loopring exchange funds (~$5M) at risk. We alerted Loopring – they responded professionally and shut down their exchange to fix the bug. Our analysis: https://t.co/dD0eIhkkKc
— StarkWare (@StarkWareLtd) May 7, 2020
A medium post by Loopring has since confirmed that the funds are safe, but user action is required in a bid to prevent further exposure,
“To alleviate any concern, please know all funds are safe, however user action is required to reset your trading password on Loopring DEX if you want existing or future orders to be matched.”
Loopring’s Security Bug
This shortcoming within Loopring’s ecosystem could have resulted in another DeFi hack should a malicious party have discovered. The firm’s post noted that its Frontend code was indeed insufficient as it enumerates the EdDSA keypair of its clients. According to Loopring, the firm did an extra hashing of users' trading passwords before EdDSA key generation but unfortunately ended up with a 32-bit integer pace limitation. It, therefore, creates an opportunity for fraudulent executions given the EdDSA keypair primary functions within the Loopring platform,
“If a user’s EdDSA keypair were to be compromised, the hacker can place an order to sell the compromised user’s asset on our orderbook at a very low price, and profit by being the buying counterpart. In a low liquidity situation, those orders would eventually match.”
Notably, Ethereum keys within Loopring are not affected by the underlying security threat in keypair generation. This is because the platform leverages its own Account Key citing SNARK-friendliness properties. Basically, all Loopring account users eventually have to create an account key to maximize on the platform’s crypto services despite joining with Ethereum keys.
The Swift Solutions
Following the notification, Loopring shut its exchange immediately and resulted to fixing the bug. The medium post highlights that the exchange has improved its EdDSA keypair generation by deploying a new production. In addition to this, Loopring has also stopped order matching for clients that are yet to change their passwords,
“On the other hand, we have stopped order matching for all existing users until they have changed their trading passwords and thus updated their EdDSA keypairs.”