Loopring Shut Down Its DEX to Fix Massive Vulnerability Before it was Exploited; Funds SAFU


Loopring, a DEX built on Ethereum, may have exposed close to $5 million of the exchange’s funds but moved swiftly upon a notification by Starkware. The privacy and scalability oriented blockchain firm notified Loopring on May 7th that the platform’s account keys could have been compromised based on a vulnerability in the production of keypairs within the platform.

A medium post by Loopring has since confirmed that the funds are safe, but user action is required in a bid to prevent further exposure,

“To alleviate any concern, please know all funds are safe, however user action is required to reset your trading password on Loopring DEX if you want existing or future orders to be matched.”

Loopring’s Security Bug

This shortcoming within Loopring’s ecosystem could have resulted in another DeFi hack should a malicious party have discovered. The firm’s post noted that its Frontend code was indeed insufficient as it enumerates the EdDSA keypair of its clients. According to Loopring, the firm did an extra hashing of users' trading passwords before EdDSA key generation but unfortunately ended up with a 32-bit integer pace limitation. It, therefore, creates an opportunity for fraudulent executions given the EdDSA keypair primary functions within the Loopring platform,

“If a user’s EdDSA keypair were to be compromised, the hacker can place an order to sell the compromised user’s asset on our orderbook at a very low price, and profit by being the buying counterpart. In a low liquidity situation, those orders would eventually match.”

Notably, Ethereum keys within Loopring are not affected by the underlying security threat in keypair generation. This is because the platform leverages its own Account Key citing SNARK-friendliness properties. Basically, all Loopring account users eventually have to create an account key to maximize on the platform’s crypto services despite joining with Ethereum keys.

The Swift Solutions

Following the notification, Loopring shut its exchange immediately and resulted to fixing the bug. The medium post highlights that the exchange has improved its EdDSA keypair generation by deploying a new production. In addition to this, Loopring has also stopped order matching for clients that are yet to change their passwords,

“On the other hand, we have stopped order matching for all existing users until they have changed their trading passwords and thus updated their EdDSA keypairs.”

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide