PlayDapp Hack
Incident Overview
PlayDapp, an Ethereum-based P2E game, was exploited due to compromised private keys, resulting in a loss of 1.79 billion PLA tokens worth around 32,350,000 USD.
PlayDapp, a P2E game running on the Ethereum chain, was exploited two times,between Feb 9-12, 2024. The root cause of the exploit was reportedly due to the compromise of private keys. Before the first exploit transactions, a new minter was added to the PlayDapp: PLA Token.
The attacker minted a total of 1.79 billion PLA tokens in two separate incidents, worth around 287,775,772 USD at the time. However, the attacker was able to convert only 32 million USD. The stolen funds were transferred to various addresses, with some being deposited on the Polygon chain, Binance exchange, and a significant portion remaining in the scammer's address as of Feb 13, 2024.
The attacker was funded by FixedFloat. A reward of 1 million USD was offered to the hacker for the immediate return of all stolen contracts and assets.
Attacker's Initial Address:
https://etherscan.io/address/0xD151050d…243a40
Attacker's Additional Addresses:
https://etherscan.io/address/0x1cae9eAa…289155
https://etherscan.io/address/0xe84d086f…2ec03c
https://etherscan.io/address/0x23cAeE36…88B07d
Funds Holders as of Feb 13, 2024:
https://etherscan.io/address/0xa03400E0…517687
https://etherscan.io/address/0xA8eF5e00…06C738
Malicious Transactions:
https://etherscan.io/tx/0xe8be05f6…51fb7e
https://etherscan.io/tx/0xc4168751…6002f8
https://etherscan.io/tx/0x5f73c86a…7e13b9
Binance Deposit Transaction:
https://etherscan.io/tx/0x964837f1…669414
Gate.io Deposit Transaction:
https://etherscan.io/tx/0x1cb750df…fa55a2
"Add Minter" Transaction:
https://etherscan.io/tx/0xe834f283…406170
Polygon Chain Bridge Transaction:
https://etherscan.io/tx/0xfae62c49…17eba4
On-chain message to the hacker:
https://etherscan.io/tx/0xb8c379f3…a31628
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to PlayDapp, these are the critical security checks that could have prevented this incident (February 2024).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
- 01
-
02
Web Archive https://archive.is/fMhYW
Learn to Prevent the Next PlayDapp
The PlayDapp hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.