Sports NFT minting platform and Animoca Brands subsidiary Lympo suffered from a hot wallet security breach and lost 165.2 million LMT tokens worth $18.7 million at the time of the hack.
A short Medium update from the Lympo team stated that on Jan. 10 hackers managed to gain access to Lympo’s operational hot wallet and “stole a total of approximately 165.2 million LMT from it.”
According to the post, ten different project wallets were compromised in the attack. It appears that most of the stolen tokens were sent to a single address, swapped for Ether (ETH) on Uniswap and Sushiswap, then sent elsewhere.
LMT price tumbled 92% to $0.0093 after hackers transferred then sold the loot from the project’s hot wallets.
A subsequent Jan. 11 tweet from the team stated that they were “working on stabilizing the situation and resuming all operations back to normal.” The team also stated that it had removed liquidity LMT from liquidity pools to “minimize disruption to token prices.”
#Lympo provides an update on the $LMT token slippage and hacking that occurred on January 10th at approximately 12:32 pm UTC. We’re working on stabilizing the situation and resuming all operations back to normal.https://t.co/i07w5zoOwW@animocabrands
— Lympo.io – Crypto Community (@Lympo_io) January 10, 2022
Removing liquidity from pools that trade LMT means that traders will not be able to buy or sell any significant amount of the tokens without experiencing a dramatic loss of value on their trade.
Early on Jan. 11, the team urged traders to refrain from buying or selling any LMT tokens while they completed their investigation and determined the next best course of action.
As a subsidiary property of Animoca Brands, Lympo may benefit from intervention from the Animoca team. Animoca CEO Yat Siu told Cointelegraph, “We are working with Lympo to assist them on a recovery plan, but we don’t have any specific mechanisms.”
The second hot wallet hack this week
Centralized crypto exchange LCX also suffered from a security breach on one of its hot wallets, leading to the loss of nearly $7 million on Jan. 8. In this case, the hacker made off with stacks of eight different crypto assets.
LCX lost varying amounts of MKR, ENJ, LINK, QNT, SAND, ETH, LCX, and USDC. The majority of the funds were converted to ETH then sent to Tornado Cash, a privacy tool designed to hide the source and destination of ETH.
The LCX team released an update on Jan. 10 assuring users that they would be compensated for the losses incurred and that no personal data was compromised during the attack. The team wrote:
“LCX will use our own funds to cover the incident and compensate affected users. There will be no impact on user balances at LCX.”