Unauthorized Withdrawals Detected in Gala Games Community
Concerned members of the Gala Games community have raised alarms over a series of “unauthorized” withdrawals from the GalaChain bridge. Over the span of nearly a month, from October 13 to November 10, a total of 140 million GALA tokens, valued at around $1.5 million at that time, were transferred. Given Gala’s troubled history, community members have been vigilant regarding bridging activities, particularly noting the peculiar pattern of daily withdrawals of exactly 5 million GALA tokens on Ethereum. Upon investigation, they discovered that the corresponding deposit transactions were absent on GalaScan.
Community Engagement and Lack of Explanation
The involved community group reached out to Gala Games through Discord on November 6, tagging the CEO and a community moderator to bring attention to the issue. Despite their efforts, they claim to have received no satisfactory explanation, only being informed that the missing transactions might be attributed to GalaScan being a “work in progress.” Unfortunately, it wasn’t until four days later that Gala Games took any action, during which time an additional 25 million GALA tokens (approximately $250,000) were withdrawn from the Ethereum bridge.
Pattern of Withdrawals Raises Concerns
Starting from October 13, there were 26 withdrawals of 5 million GALA tokens almost daily from the bridge. These tokens were sent to several Ethereum addresses, which subsequently converted them into ETH. On November 10, just hours before the bridge was paused, another 10 million GALA was withdrawn. A review of the transaction history from GalaScan indicates a lack of matching transactions on the GalaChain side, raising further suspicions.
Missing Transactions Point to Potential Compromise
An example of the first questionable withdrawal on October 13 at 15:55 UTC highlights the issue: surrounding transactions of 18,800 and 24,000 GALA are documented in GalaScan, yet the 5 million GALA minted on Ethereum lacks a corresponding deposit on GalaChain. This same scenario repeated itself across subsequent daily withdrawals until the bridge was ultimately paused. The community group suspects these one-sided withdrawals could indicate a breach of privileged access.
Gala’s Response to the Situation
According to the community, Gala has not publicly acknowledged the situation or provided clarity on its cause. Notifications regarding the suspension of the Ethereum and Solana bridges only reference “community feedback and concerns.” Protos has attempted to contact Gala for a response but has not received any communication prior to the publication of this article; updates will be provided if a reply is received.
Previous Security Incident Resurfaces Concerns
The current incident draws parallels to a significant hack in May 2024, during which 600 million GALA tokens were sold for $21 million. At that time, CEO Eric Schiermeyer admitted, “We messed up our internal controls… This shouldn’t have happened and we are taking steps to ensure it doesn’t ever again.” Recently, Gala stated that the security breach involving the $GALA token has been contained, the affected wallet has been frozen, and they are collaborating with law enforcement to investigate the individuals responsible.
Ongoing Risks Highlighted by Community Group
The community group emphasizes the resemblance between the two incidents, noting both involved misuse of privileged credentials, delayed detection, and subsequent authority changes. They argue that this pattern signifies persistent vulnerabilities within Gala’s infrastructure and poses ongoing risks to its token holders.
