pNetwork devs steal $4.3 million in white hat hack


In a ‘white hat’ hack, pNetwork bridge developers steal $4.3 million from PancakeSwap.

The creators of pNetwork, an independent cross-chain bridge protocol used to move assets between multiple chains, collected $4.3 million in pgala (pegged gala) tokens distributed to bridge users in an ethical manner.

According to on-chain research by security company BlockSec,  the “white hat” hack was carried out today, as the team claimed to have uncovered a “misconfiguration” in the token’s smart contract. The pNetwork developers sought to outrun any harmful hackers by “depleting” pgala tokens stored in PancakeSwap pools. These pNetwork-issued tokens are a 1:1 tokenized version of the gala tokens used in the play-to-earn initiative Gala Games.



The tokens are issued whenever users cross gala tokens from Ethereum’s original chain to the BNB Chain via the pNetwork bridge. Anyone may use pNetwork to lock their assets as collateral in the bridge contract, including gala tokens, and issue tokenized gala, also known as pgala.

The pgala tokens are managed by the pNetwork team using smart contracts and may be exchanged on decentralized exchanges on the BNB Chain, such as PancakeSwap. The company said today that it has uncovered a bug that might allow anyone to steal from the pgala smart contract. As a result, the contract had to be fixed and redeployed as soon as possible.


“The redeployment of pGala was forced by a misconfiguration of the pNetwork bridge,” pNetwork explained.






Table of Contents

The white hat hack


It went on to say that before it could redeploy the token contract, it had to drain the token in liquidity pools and undertake a white hat attack to safeguard the value of the tokens trapped in the bridge contract. The pNetwork developers created billions of pgala tokens out of thin air and traded them for BNB tokens to deplete pgala liquidity on PancakeSwap. Because of the contract’s privileged access, the team was able to mint these tokens.



BlockSec said: “Our investigation shows that pNetwork had a privileged address and could mint the token. This address minted lots of tokens. As explained by pNetwork, the reason they minted and sold such a large number of pNetwork, is because they intentionally drained the pool to deploy a new pGala contract.”



On-chain data given by security company Beosin revealed that an address, now believed to be the pNetwork team, generated 55 billion gala tokens and exchanged them for over 12,976 BNB tokens worth around $4.3 million in several transactions.

PNetwork emphasized that all gala tokens on Ethereum, as well as the underlying bridge collateral, were secure, and that it intends to pay pgala and BNB to user addresses in proportion to their PancakeSwap pool positions after taking a snapshot of their positions.





Gala Games responded to the situation, claiming that its token was “not hacked, compromised, or abused in any manner,” and directing users to pNetwork’s articles about white hat behavior.

Nonetheless, the event created havoc in the gala token market. According to CoinGecko, the token fell 13% on the day.