Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 179Private Key Compromise

PlayDapp Mint Exploit

A stolen admin key let the attacker add themselves as a minter and produce 1.79B PLA across two strikes — nominal $290M, only $32M successfully cashed out.

Date
Victim
PlayDapp
Chain(s)
Ethereum
Status
Partially Recovered

Between February 9 and February 12, 2024, an attacker minted 1.79 billion PLA tokens on the PlayDapp gaming platform — a nominal $290 million at the prices at the time. PLA was the in-platform currency of a Korean Web3 gaming ecosystem.

What happened

The attacker did not exploit a logic bug — they stole an admin key that controlled the PLA token contract's privileged functions. With that key, they:

  1. Added themselves as a minter, granting their own address the authority to create new PLA.
  2. Stripped existing administrators of their permissions, locking the legitimate team out.
  3. Minted 200 million PLA (~$36.5M) in the first attack on February 9.
  4. Returned three days later and minted another 1.59 billion PLA (~$253.9M) on February 12.

Aftermath

  • The attacker only managed to convert about $32 million of the stolen tokens into other assets before exchanges froze associated addresses; the rest sat in their wallet as dilution that destroyed PLA's value rather than netting them cash.
  • PlayDapp paused the PLA contract and announced a migration to a new "PDA" token with multi-signature controls. Existing holders were issued PDA at a fixed ratio; the attacker's minted PLA was effectively voided.
  • The loss to legitimate PLA holders was real: market cap collapsed during the incident.

Why it matters

A single privileged key on a non-upgradeable contract can be worse than an upgradeable contract — because there is no mechanism to revoke a stolen authority short of a hard migration. Most tokens issued in 2024 and 2025 ship with mint authority either renounced post-launch or gated behind a Safe multi-sig with timelock.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-playdapp-hack-february-2024
  2. [02]immunebytes.comhttps://immunebytes.com/blog/playdapp-exploit-feb-9th-12th-2024-detailed-analysis-report/
  3. [03]playdapp.medium.comhttps://playdapp.medium.com/playdapp-post-mortem-on-the-hacking-incident-361b4ddfb5a1

Related filings