Gala quietly changes bridge keys after users flag ‘unauthorized’ withdrawals

Concerned members of the Gala Games community have identified a series of “unauthorized” withdrawals from the GalaChain bridge.

Spanning almost a month, between October 13 and November 10, the transfers total 140 million GALA, worth approximately $1.5 million at the time.

Given Gala’s chequered past, community members had been “keeping a close eye” on bridging activity.

Regular daily withdrawals of exactly 5 million GALA tokens on Ethereum caught their attention, and when attempting to verify their source, corresponding deposit transactions were missing on GalaScan.

The group, a representative of which reached out to Protos, flagged the transactions to Gala via Discord on November 6, “tagging the CEO and community moderator.”

The group claims that it wasn’t provided with an explanation, but was instead told that the missing bridge transactions may be due to block explorer GalaScan being a “work in progress.”

It wasn’t until four days later that Gala took action. During this time, a further 25 million GALA tokens (approximately $250,000) were withdrawn from the Ethereum bridge.

Read more: Re7 Labs threatens whistleblower over exposure to yield vault collapse

‘Unauthorized’ withdrawals total 140M GALA

Beginning on October 13, 26 withdrawals of 5 million GALA each were made from the bridge almost every day. The recipients were a series of Ethereum addresses which then swapped the tokens for ETH.

A further 10 million GALA was then withdrawn on November 10, just hours before the bridge was paused.

The bridge’s transaction history downloaded from GalaScan is missing matching bridge transactions on the GalaChain side.

Taking the first suspicious withdrawal as an example, which occurred on October 13 at 15:55 UTC, the surrounding transactions of 18,800 and 24,000 GALA are present in the GalaScan data.

The 5 million GALA minted on Ethereum, however, has no corresponding deposit transaction on GalaChain.

Transactions of 18,800 and 24,000 GALA are present in the GalaScan data…

However, the 5 million GALA minted on Ethereum has no corresponding transaction on GalaChain.

The same pattern was repeated across subsequent daily withdrawals of 5 million GALA each until the bridge was paused.

The group believes these one-sided bridge withdrawals “indicate a likely compromise of privileged access.”

This theory appears supported by the team’s decision to execute a change authorities transaction shortly after pausing the bridge on November 10.

Gala’s response

The group claims that Gala hasn’t publicly disclosed the incident, nor confirmed the cause. Discord announcements about pausing the Ethereum and Solana bridges simply cite “community feedback and concerns.”

Protos has reached out to Gala, but hasn’t heard back before publication of this article. It will be updated in the event we receive a reply.

The incident bears resemblance to a May 2024 hack in which 600 million GALA was sold for $21 million. Gala’s CEO Eric Schiermeyer stated at the time, “We messed up our internal controls… This shouldn’t have happened and we are taking steps to ensure it doesn’t ever again.”

Read more: DeFi karma: Garden hacked for $11M after bridging Lazarus’ loot

The group notes the “similarity between the two incidents, both involving privileged credential misuse, delayed detection, and emergency authority rotation.”

It argues that the pattern of behaviour “suggests ongoing risks to Gala’s infrastructure and token holders.”