A recent GALA token contract address upgrade opened a loophole for hackers, targeting crypto exchanges with old tokens.
Cryptocurrency exchanges are at risk of fake top-ups with old GALA tokens as the project’s recent upgrade generated a new contract address for the token.
According to an X (formerly Twitter) thread published by a crypto security researcher X-explore, there are now two tokens in circulation called GALA, with the price ratio between “old Gala” and “new Gala” set at 1:12.
The researcher noted hackers had already noticed this flaw and exploited it on Sept. 6 by withdrawing “all GALA” from Coinhub, a Mongolian crypto exchange. As of press time, the exchange made no public statement on the matter.
X-explore said the hacker has been depositing the old GALA tokens on various crypto exchanges since July 27 to test fake top-ups. It is unclear how many other trading platforms are vulnerable to this attack.
The researcher says fake deposits have always been a “very important security issue” for crypto exchanges, urging platforms to check whether the address of the tokens supporting deposits needs to be updated and whether the logic of judging the assets on account of deposits is wrong.
Earlier, analysts at SlowMist also alarmed the crypto community about a “known operational issue” in the LDO Token contract, saying the flaw has already been exploited on trading platforms without naming them. X-explore claims the hackers who have been trying to trick exchanges with the old GALA tokens were also involved in the LDO false top-ups and the Nomad Bridge attack last August 2023.