A security breach at cryptocurrency platform Roll allowed a hacker to obtain the private key to its hot wallet and steal its contents — worth about $5.7 million.
In a statement, the company said it was investigating the breach, which happened early Sunday.
“As of this writing, it seems like a compromise of the private keys [sic] of our hot wallet and not a bug in the Roll smart contracts or any token contracts,” the statement said. Roll said the attacker had already sold the tokens for Ethereum.
“There is no further user action suggested at this stage. We are temporarily disabling withdraw from the Roll wallet of all social money until we have migrated our hot wallet,” the statement added.
It’s not clear how the attacker broke in and obtained the private key — akin to the password for Roll’s hot wallet. Hot wallets are designed to be connected to the internet to send and receive cryptocurrency, but typically only store a fraction of a cryptocurrency owner’s total reserves, given the inherent security risk of an internet-connected wallet. A cold wallet, or storage device that isn’t connected to the internet, is typically used for holding the bulk of an owner’s cryptocurrency for longer-term periods.
Roll allows creators to mint and distribute their own Ethereum-based cryptocurrency, known as social tokens, under which the creators can decide how the currency is spent. There are hundreds of different kinds of social currency on the platform, including $WHALE, $RARE, and $PICA tokens — which plummeted in value in the aftermath of the breach.
The creator of the $WHALE token said in a tweet more than 2% of its tokens were stolen in the Roll breach, but that the hack was “minimally detrimental” to the project.
Others weren’t so lucky. One person said they had “lost everything,” while others criticized Roll’s new $500,000 fund to help affected creators for not going far enough.
Roll said it will hire a third-party to audit its security infrastructure to prevent another breach. “We will also run a forensic analysis to figure out how the key was compromised,” the statement said.