Concerned members of the Gala Games community have identified a series of “unauthorized” withdrawals from the GalaChain bridge.
The total amount of remittances over almost a month from October 13th to November 10th was 140 million GALA, equivalent to approximately $1.5 million at the time.
Given Gala’s checkered past, community members were “closely monitoring” the bridging efforts.
It came to their attention that exactly 5 million GALA tokens were being withdrawn on Ethereum on a regular basis every day, and when they tried to check the source of the withdrawal, the corresponding deposit transaction did not exist on GalaScan.
A representative from the group contacted Protoss, who reported the deal to Gala via Discord on November 6th, “tagging the CEO and community moderators.”
The group claims that it was told that the missing bridge transactions could be caused by block explorer GalaScan’s “”, although no explanation was provided.work in progress”
Gala took action four days later. During this time, another 25 million GALA tokens (approximately $250,000) were withdrawn from Ethereum Bridge.
read more: Re7 Labs threatens whistleblower over risk of vault collapse
Total amount of “unauthorized” withdrawals: 140 million GALA
Since October 13, 26 withdrawals of 5 million GALA were made from the bridge almost every day. The recipient exchanged the tokens for ETH at a series of Ethereum addresses.
A further 10 million GALA was then withdrawn on November 10, hours before the bridge was suspended.
The bridge transaction history downloaded from GalaScan is There are no matching bridge transactions on the GalaChain side.
Taking the first suspicious withdrawal that occurred on October 13th at 15:55 UTC as an example, there are transactions around 18,800 GALA and 24,000 GALA in the GalaScan data.
However, the 5 million GALA minted on Ethereum has no corresponding deposit transaction on GalaChain.
There are 18,800 GALA and 24,000 GALA transactions in the GalaScan data.
However, the 5 million GALA minted on Ethereum has no corresponding transaction on GalaChain.
The same pattern was then repeated until 5 million GALA withdrawals were made each day until the bridge was suspended.
The group believes that such a unilateral bridge withdrawal “demonstrates the potential for privileged access to be compromised.”
This theory appears to be supported by the team’s decision to execute the change authority transaction immediately after suspending the bridge on November 10th.
Gala’s reply
The group claims that Gala has not disclosed the incident or confirmed the cause. Discord’s announcement regarding the suspension of Ethereum and Solana Bridge simply cites “community feedback and concerns.”
Protos reached out to Gala but did not receive a response by the time this article was published. It will be updated if there is a reply.
This incident is similar to the May 2024 hack where 600 million GALA was sold for $21 million. “We messed up our internal controls…This should never have happened, and we are taking steps to ensure it never happens again,” Gala CEO Eric Schiermeyer said at the time.
read more: Karma in DeFi: Garden gets hacked for $11 million after bridging Lazarus’s spoils
The group noted “similarities between the two incidents, which involved misuse of privileged credentials, delayed detection, and substitution of emergency powers.”
It claims that this pattern of behavior “suggests a continuing risk to Gala’s infrastructure and token holders.”
