Hacker Steals $830,000 From Cross-Chain Bridge of Solana Game Aurory

Aurory purchased the stolen funds back from the hacker on a decentralized exchange

By: Samuel Haig Loading...

Hacker Steals $830,000 From Cross-Chain Bridge of Solana Game Aurory

Aurory, a Solana-based Pokemon-inspired web3 game, lost around $830,000 worth of its native tokens to a bridge exploit.

On Dec. 17, the project reported that a hacker had compromised the “buy endpoint” for its Aurory Marketplace, allowing the attacker to increase their balance of AURY tokens in SyncSpace — Aurory’s “hybrid on-chain/off-chain inventory system” that also facilitates asset bridging between Solana and Arbitrum.

The perpetrator behind the exploit was able to siphon 600,000 AURY (worth $830,000 at the time) from an Aurory team-controlled wallet. The tokens were moved to Arbitrum for sale via the Camelot decentralized exchange.

Aurory responded by taking SyncSpace offline to patch the vulnerability, and used its market maker to purchase all of the stolen AURY. Liquidity for the AURY/USDC pool on Camelot fell 80% from $1.5M amid the incident.

“The exploiter does not have any more AURY left to sell,” Aurory tweeted. “We swiftly moved to absorb sell pressure through our market maker and through pool rebalancing.”

Aurory emphasized that no user assets were impacted and there is no threat of further losses. The AURY token is down 20% since the exploit began, according to CoinGecko.

Aurory said it will restore SyncSwap functionality “in the coming days” after the vulnerability has been patched. The exploit occurred despite Aurory previously engaging Ottersec, a web3 security firm, for code auditing. Aurory integrated support for Arbitrum via SyncSpace in July.

Cross-chain bridges have proved to be a pervasive risk within the web3 ecosystem. According to Rekt, four of the five largest DeFi exploits targeted bridges, with Ronin, Poly Network, BNB Bridge, and Wormhole losing more than $2.1B in assets combined.