Sports nonfungible token (NFT) minting platform and Animoca Brands subsidiary Lympo suffered a hot wallet security breach and lost 165.2 million LMT tokens worth $18.7 million at the time of the hack.
A short Medium update from the Lympo team stated that on Monday, hackers managed to gain access to Lympo’s operational hot wallet and “stole a total of approximately 165.2 million LMT from it.”
According to the post, 10 different project wallets were compromised in the attack. It appears that most of the stolen tokens were sent to a single address, swapped for Ether (ETH) on Uniswap and SushiSwap, then sent elsewhere.
LMT’s price tumbled 92% to $0.0093 after hackers transferred then sold the loot from the project’s hot wallets.
A subsequent Tuesday tweet from the team stated that it was “working on stabilizing the situation and resuming all operations back to normal.” The team also stated that it had removed liquidity LMT from liquidity pools to “minimize disruption to token prices.”
#Lympo provides an update on the $LMT token slippage and hacking that occurred on January 10th at approximately 12:32 pm UTC. We're working on stabilizing the situation and resuming all operations back to normal.https://t.co/i07w5zoOwW@animocabrands
— Lympo.io – Crypto Community (@Lympo_io) January 10, 2022
Removing liquidity from pools that trade LMT means that traders will be unable to buy or sell any significant amount of the tokens without experiencing a dramatic loss of value on their trade.
Early on Tuesday, the team urged traders to refrain from buying or selling any LMT tokens, while it completed its investigation and determined the next best course of action.
As a subsidiary property of Animoca Brands, Lympo may benefit from intervention from the Animoca team. Animoca CEO Yat Siu told Cointelegraph, “We are working with Lympo to assist them on a recovery plan, but we don’t have any specific mechanisms.”
The second hot wallet hack this week
Centralized crypto exchange LCX also suffered a security breach to one of its hot wallets, leading to the loss of nearly $7 million on Saturday. This time, the hacker made off with stacks of eight different crypto assets.
LCX lost varying amounts of Maker (MKR), Enjin (ENJ), Chainlink (LINK), Quant (QNT), The Sandbox (SAND), ETH, LCX and USD Coin (USDC). The majority of the funds were converted to ETH then sent to Tornado Cash, a privacy tool designed to hide the source and destination of ETH transactions.
Related: ImmuneFi report $10B in DeFi hacks and losses across 2021
The LCX team released an update on Monday, assuring users that they would be compensated for the losses incurred and that no personal data was compromised during the attack. The team wrote:
“LCX will use our own funds to cover the incident and compensate affected users. There will be no impact on user balances at LCX.”