The Pokémon-like battler game Aurory experienced an exploit Sunday evening that allowed the attacker to withdraw around 600,000 AURY tokens worth about $830,000 at the approximate time of the exploit. Ultimately, Aurory's developers disabled its SyncSpace blockchain bridge that connects the game to both Solana and the Ethereum scaling network Arbitrum.
Reached for comment, Aurory Executive Producer Jonathan Campeau told Decrypt that the team is currently working to release a global patch for its backend services to resolve the issue.
“It was a race condition attack on our off-chain marketplace,” Campeau explained. “The user was able to send several buy purchase requests simultaneously, the seller received twice the amount and the buyer was debited only once.”
The marketplace exploit caused an 80% plunge in AURY-USDC liquidity on the decentralized exchange Camelot, and the price of AURY is down about 17% since early Sunday, per CoinGecko data, meaning that the roughly $830,000 worth of AURY siphoned would now be worth about $690,000 at time of writing. After seeing a dip down to about $0.95 per AURY token, its price has since rebounded to roughly $1.15.
Just a few hours ago, our team detected unusual activity on our marketplace. After quickly investigating, we discovered that a bad actor was able to exploit our marketplace’s buy endpoint, allowing them to increase their $AURY balance in SyncSpace. This allowed them to withdraw…
— Aurory (Play Now) (@AuroryProject) December 17, 2023
The Aurory team further explained on Twitter that the marketplace exploit allowed the exploiter to pull funds from an Aurory developer team wallet and move the tokens to Arbitrum. No user funds or NFTs were stolen or are currently at risk, according to the studio.
“With the release of Seekers, we've had a lot of eyes on us and unfortunately a lot of bad actors are coming out as well trying to hack our systems,” Campeau told Decrypt, referring to the recent Seekers of Tokane Aurory game expansion announced last month.
Aurory’s platform had previously been audited by a cybersecurity firm, Ottersec, that did not flag the issue, Campeau told Decrypt.
“This attack type does not fall within their scope, from what I've been told,” Campeau said.
“We agree with Campeau’s comment that this issue was unfortunately out of the scope of our audit. That being said, we’re working with the Aurory team to attempt to recover assets and move forward with next steps,” OtterSec founder Robert Chen told Decrypt via email December 21.
Like many crypto exploits and attacks, what happened to Aurory could have been prevented, cybersecurity firm Halborn’s COO David Schwed told Decrypt.
“If an attacker was able to exploit the marketplace, then theoretically the vulnerability was discoverable and preventable,” Schwed argued, adding that a third-party audit isn’t enough on its own to maintain high levels of platform security.
Once the exploit has been patched, the Aurory team expects to bring its bridge back online “in the coming days.”
This year, Aurory has continued to develop its gaming ecosystem with its upcoming Seekers of Tokane launch on the Epic Games Store. While the studio first launched NFTs on Solana, it expanded to Arbitrum in July, taking a multi-chain approach to blockchain gaming.
Edited by Andrew Hayward
Editor's note: This story was updated on December 21 to add comment from OtterSec founder Robert Chen.