The gaming platform Aurory has fallen victim to a major hack, significantly affecting its liquidity. It occurred via a security breach in its SyncSpace Aurory Bridge on Camelot’s DEX Arbitrum.
The platform has reportedly lost 80% of its AURY-USDC pool liquidity and around $830,000 worth of its native tokens to the bridge exploit. The news was revealed in a post made on X by Aurory’s official account on 17 December.
According to the team, a malicious actor was able to exploit the marketplace’s buy endpoint, allowing them to increase their $AURY balance in SyncSpace. They added:
“This allowed them to withdraw around 600K tokens to the Arbitrum network, which they then proceeded to market sell into our bids, liquidating the full amount of their theft.”
A swift action
Aurory acted quickly by disabling SyncSpace to protect the funds and stabilise the market. During this maintenance, assets cannot be deposited or withdrawn, said the team.
No user funds or non-fungible tokens (NFT) were lost or are at risk due to the hack. The stolen $AURY came from a team wallet which funds withdrawals for accounts that have not previously deposited $AURY.
Following the attack, $AURY token’s value dropped by 17% to $1.17. However, it seemed to recover at the time of press as it changed hands for $1.24, up by over 17% over the last 24 hours. The team is buying back tokens too while they continue their investigation.
They have also assured that the exploit is not ongoing. With SyncSpace offline for maintenance, there is currently no risk of any further exploits. Adding on, they said:
“We swiftly moved to absorb sell pressure through our marketmaker and through pool rebalancing. The exploiter does not have any more $AURY left to sell.”
What’s next?
Aurory is currently working on restoring SyncSwap functionality soon “in the coming days” after the vulnerability has been tended to.
A more in depth post-mortem of the situation will be given once the team has patched the issue and wraps up the investigation. They are still planning to announce the new Amber patch and an EOY event for Seekers of Tokane in the coming week.
The official message also discussed the need for further investigations to uncover how this bug went undetected despite an expert audit which was conducted just months ago. Web3 security firm, Ottersec, was involved in this code auditing.
Aurory had integrated support for Arbitrum via SyncSpace in July. This cross-chain integration opened up a new on-ramp for users to interact with the platform from their native blockchain. The announcement also revealed plans to integrate with additional blockchains in the future.
There have been a growing number of DeFi exploits targeting bridges. Recently, OKX ($OKB) suffered a security breach in its decentralised exchange (DEX), resulting in the theft of over $400,000.
OKX’s exploit reportedly occurred during the token exchange process where users authorise a TokenApprove contract, and the DEX contract transfers the tokens requested.
