Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 193Private Key Compromise

Gala Games Admin Mint

Attacker took over a dormant MINTER role to mint 5B GALA ($216M), sold $21.8M before being blacklisted; the remaining 4.4B tokens are effectively burned.

Date
Victim
Gala Games
Chain(s)
Ethereum
Status
Partially Recovered

On May 20, 2024, an attacker minted 5 billion GALA tokens — a nominal $216 million at market price — from a dormant MINTER role on the Gala token contract that had not been used in over 180 days. The attacker sold 592 million tokens for $21.8M in ETH before Gala Games blacklisted the address; the remaining 4.4B tokens were stranded.

What happened

The GALA token contract on Ethereum exposed a MINTER role that could create new tokens. Gala Games had granted this role to multiple administrative addresses during the contract's history. One of those addresses had not been used in 180+ days and had likely been forgotten by the team — or its access had quietly been compromised.

The attacker, having acquired that dormant key, called mint() and produced 5 billion GALA directly to an address they controlled. They immediately routed the freshly minted tokens through DEXs, swapping aggressively into ETH:

  • ~592M GALA sold into the market over the next 45 minutes
  • ~$21.8M in ETH netted from the sales before the move triggered alerts and the GALA team intervened.

Aftermath

  • Gala Games identified the unauthorised mint and revoked the MINTER role from the compromised address within 45 minutes of the first sale — locking the attacker's remaining 4.4 billion GALA in their wallet, where they cannot be transferred or sold.
  • The remaining tokens are described by Gala as "effectively burned" — they exist in the supply but are inaccessible.
  • GALA price dropped roughly 20% during the incident, recovered partially over the following days as the burn dynamic became understood.
  • Gala Games is in litigation with several parties related to the incident, including its bridge operator pNetwork.

Why it matters

Gala Games is a case study for role hygiene over time: privileged addresses that are once authorised tend to stay authorised unless someone explicitly revokes them. Best practice is expiring privileged roles (via timelock contracts that auto-revoke after inactivity), rotating admin keys on a fixed schedule, and conducting periodic audits of every address with MINTER/UPGRADE/ADMIN capabilities. Gala paid $21.8M for what is essentially a forgotten authorisation.

Sources & on-chain evidence

  1. [01]theblock.cohttps://www.theblock.co/post/295520/gala-games-hacked-gala-token-plummets
  2. [02]rekt.newshttps://rekt.news/gala-games-rekt
  3. [03]beincrypto.comhttps://beincrypto.com/gala-games-exploit-hacker-mints-214-million/

Related filings