Vulcan Forged - Security Incident Analysis
What Happened
On December 13, 2021, Vulcan Forged, a blockchain gaming studio and NFT marketplace, suffered a significant security breach affecting user wallet accounts. The incident resulted in the compromise of 96 addresses and the theft of cryptocurrency assets worth approximately $140 million.
Attack Vector
The attack exploited compromised private keys associated with user wallets integrated into the Vulcan Forged platform. These wallets were provided through a third-party service called Venly, which facilitated wallet management for user accounts on the gaming platform.
Technical Root Cause
The article does not provide specific technical details about how the private keys were compromised. It notes that "Compromised keys" cannot be externally analyzed, which "benefits only the insiders." The exact responsibility—whether Vulcan Forged lacked due diligence or if the wallet provider Venly was at fault—remains unclear.
Financial Impact
Total stolen: Over 4.5 million PYR tokens valued at ~$140 million at time of attack
Token composition: Primarily PYR, plus ETH and MATIC tokens
Example wallet: ~$40 million in PYR and ~$600k in ETH moved to secondary addresses
Market impact: PYR token price dropped approximately 30%, from ~$31 to a low of $21.47
Hacker Addresses
Ethereum: 0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
Polygon: 0x48ad05a3B73c9E7fAC5918857687d6A11d2c73B1
Secondary wallet example: 0xe3cd90be37a79d9da86b5e14e2f6042cd0e53b66
Remediation & Fund Recovery
The Vulcan Forged team responded quickly with:
1. Reimbursement: Majority of affected wallets were reimbursed from the project treasury
2. Promised commitment: Team pledged to pursue a "100% decentralised system going forward"
3. Wallet solution: Commitment to remove custodial wallets
4. Communication: Regular updates provided via Twitter