Aurory, a Solana-based web3 game drawing inspiration from Pokemon, lost around $830,000 worth of its native tokens to a bridge exploit.
This incident transpired on December 17 when a hacker exploited a vulnerability in Aurory’s marketplace, specifically compromising the “buy endpoint.” This exploit enabled the perpetrator to manipulate the balance of AURY tokens within SyncSpace—an integral component of Aurory’s “hybrid on-chain/off-chain inventory system” that facilitates asset bridging between Solana and Arbitrum.
The hacker successfully siphoned 600,000 AURY tokens, equivalent to $830,000 at the time, from a wallet under the control of the Aurory team. Subsequently, these ill-gotten tokens were transferred to Arbitrum and offered for sale on Camelot, a decentralized exchange.
Aurory responded promptly by temporarily taking SyncSpace offline to address the identified vulnerability. The team utilized its market maker to repurchase the entire volume of stolen AURY tokens. Consequently, there was an 80% reduction in liquidity for the AURY/USDC pool on Camelot, declining from $1.5 million.
In a public communication via Twitter, Aurory assured stakeholders that the exploiter no longer possessed any AURY tokens to sell. The team expeditiously mitigated the impact by leveraging the market maker and implementing pool rebalancing strategies.
Emphasizing the integrity of user assets, Aurory asserted that there is no lingering threat of further losses. Despite the incident, the AURY token’s value has decreased by 20% since the commencement of the exploit, as reported by CoinGecko.
Aurory intends to reinstate SyncSwap functionality shortly, following successfully patching the identified vulnerability. The exploit occurred despite Aurory’s prior engagement with Ottersec, a web3 security firm, for comprehensive code auditing. Additionally, Aurory had integrated support for Arbitrum via SyncSpace in July.
This incident underscores the persistent risk associated with cross-chain bridges in the web3 ecosystem. According to Rekt, a notable source of cryptocurrency insights, four of the five most substantial DeFi exploits specifically targeted bridges. Ronin, Poly Network, BNB Bridge, and Wormhole collectively suffered losses exceeding $2.1 billion in assets due to such exploits.