Outside Source
A $450,000 hack on Clipper was likely from a withdrawal vulnerability, not a leak, the decentralized exchange has said.
News
Decentralized exchange (DEX) Clipper has clarified it was a vulnerability in its withdrawal function that caused the recent $450,000 hack of its protocol — rather than a private key leak as suggested by a “third-party.”
Clipper said in a Dec. 1 X post that the attacker exploited two liquidity pools on Dec. 1, which took around 6% of its total value locked. It added no other pools were affected and the exploit had ended.
“There have been third-party claims suggesting a private key leak,” Clipper wrote. “We can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper.”
“The ability to withdraw in the form of just one token (a bundled swap + deposit/withdrawal transaction) is disabled, because that seems to have been the exploited feature,” it added.
Earlier, the co-founder of security firm Fuzzland Chaofan Shou posted to X that Clipper was “hacked due to API vulnerability (like private key leak)” and added the API likely had vulnerabilities that allowed an attacker to sign deposit and withdrawal requests and pilfer out more funds than they were putting in.
Source: Chaofan Shou
Clipper said it is undertaking an investigation of the incident and promised to provide further updates and has paused swaps and deposits on its protocol in the meantime. Withdrawals are open, but they “must be in the mix of all assets in the pool,” it added.
Related: Spectral Labs identifies Syntax vulnerability, pauses contracts
The project wrote that it’s also begun to trace the stolen funds in an attempt to recover them and asked the exploiter to contact the project if they’re “willing to speak.”
The hack adds to the over $1.48 billion worth of crypto that’s been stolen in 2024 to the end of November, a 15% decrease compared to the same period last year, according to a Nov. 28 Immunefi report.
Clipper’s creator, Shipyard Software Inc., did not immediately respond to a request for comment outside of normal business hours.
Shou was contacted for comment.
Magazine: Legal issues surround the FBI’s creation of fake crypto tokens
This article first appeared at Cointelegraph.com News
