The Pokémon-like battler game Aurory experienced an exploit Sunday evening that allowed the attacker to withdraw around 600,000 AURY tokens worth about $830,000 at the approximate time of the exploit. Ultimately, Aurory's developers disabled its SyncSpace blockchain bridge that connects the game to both Solana and the Ethereum scaling network Arbitrum.
Reached for comment, Aurory Executive Producer Jonathan Campeau told Decrypt that the team is currently working to release a global patch for its backend services to resolve the issue.
“It was a race condition attack on our off-chain marketplace,” Campeau explained. “The user was able to send several buy purchase requests simultaneously, the seller received twice the amount and the buyer was debited only once.”
The marketplace exploit caused an 80% plunge in AURY-USDC liquidity on the decentralized exchange Camelot, and the price of AURY is down about 17% since early Sunday, per CoinGecko data, meaning that the roughly $830,000 worth of AURY siphoned would now be worth about $690,000 at time of writing. After seeing a dip down to about $0.95 per AURY token, its price has since rebounded to roughly $1.15.
The Aurory team further explained on Twitter that the marketplace exploit allowed the exploiter to pull funds from an Aurory developer team wallet and move the tokens to Arbitrum. No user funds or NFTs were stolen or are currently at risk, according to the studio.
“With the release of Seekers, we've had a lot of eyes on us and unfortunately a lot of bad actors are coming out as well trying to hack our systems,” Campeau told Decrypt, referring to the recent Seekers of Tokane Aurory game expansion announced last month.
Aurory’s platform had previously been audited by a cybersecurity firm, Ottersec, that did not flag the issue, Campeau told Decrypt.
The world of Aurory just got a whole lot bigger with its latest Seekers of Tokane addition, bringing "roguelike" role-playing gameplay to the Pokémon-inspired fantasy battler—and the game is launching on the Epic Games Store, a major mainstream gaming marketplace.
Seekers of Tokane launches in early access Thursday to Aurorian NFT holders, and access codes will be doled out for the broader community in the coming weeks, according to a statement exclusively shared with Decrypt.
The expansion adds...
“This attack type does not fall within their scope, from what I've been told,” Campeau said.
“We agree with Campeau’s comment that this issue was unfortunately out of the scope of our audit. That being said, we’re working with the Aurory team to attempt to recover assets and move forward with next steps,” OtterSec founder Robert Chen told Decrypt via email December 21.
Like many crypto exploits and attacks, what happened to Aurory could have been prevented, cybersecurity firm Halborn’s COO David Schwed told Decrypt.
“If an attacker was able to exploit the marketplace, then theoretically the vulnerability was discoverable and preventable,” Schwed argued, adding that a third-party audit isn’t enough on its own to maintain high levels of platform security.
Michael Natoli, Aurory's Head of Marketing and Business Development, tells Decrypt's Jason Nelson about how the Aurory games will use NFTs and crypto and shares the studio's broader stance on the tech.
Once the exploit has been patched, the Aurory team expects to bring its bridge back online “in the coming days.”
This year, Aurory has continued to develop its gaming ecosystem with its upcoming Seekers of Tokane launch on the Epic Games Store. While the studio first launched NFTs on Solana, it expanded to Arbitrum in July, taking a multi-chain approach to blockchain gaming.
Edited by Andrew Hayward
Editor's note: This story was updated on December 21 to add comment from OtterSec founder Robert Chen.
GG Newsletter
Get the latest web3 gaming news, hear directly from gaming studios and influencers covering the space, and receive power-ups from our partners.
