Vulcan Forged Wallet Custody Breach

On December 13, 2021, the play-to-earn NFT platform Vulcan Forged suffered a custody breach affecting 148 user wallets managed by its embedded wallet provider Venly. Attackers extracted private keys for 96 of those wallets and drained approximately 4.5M PYR (~$140M), plus smaller amounts of ETH and MATIC.

What happened

Vulcan Forged used Venly (formerly Arkane Network) as an embedded custodial wallet service — Venly held the keys on behalf of Vulcan Forged users so they could interact with the platform without managing seeds directly.

The attacker compromised the Vulcan Forged server that held Venly authentication credentials. Using those credentials, they impersonated Vulcan as an institutional Venly customer and requested private keys for individual user wallets — receiving them through Venly's legitimate key-export flow.

With keys in hand, the attacker drained the top 96 user wallets by holdings, taking nearly 9% of PYR's total supply along with ETH and MATIC.

Aftermath

• Vulcan Forged announced a full reimbursement plan within 24 hours: affected wallets received PYR and LAVA tokens from the project's treasury, restoring users' original balances.
• The attacker's address was blacklisted across major exchanges within days.
• All major refunds completed within 48 hours of the incident.

Why it matters

Vulcan Forged is one of the clearest examples of the embedded-custody trust chain problem: when a project uses an external custodian to hold user keys, the project's own infrastructure security determines whether those keys remain safe. The custodian (Venly) was not breached — Vulcan Forged's authentication credentials were — but the user-side result was identical to a custodian compromise.

Modern embedded-wallet products (MPC wallets, social-recovery wallets like those used by Coinbase Wallet, Privy, etc.) explicitly architect around this risk: even an attacker who fully impersonates the project cannot retrieve a single complete private key.