Key Takeaways
- The exploit targeted Clipperโs liquidity pools on the Optimism and Base chains, accounting for roughly 6% of the platformโs TVL.
- ย Clipperโs investigation revealed that the vulnerability originated from a bundled swap-and-withdraw function
Decentralized exchange (DEX) Clipper recently confirmed a security breach that led to a loss of approximately $450,000. The incident, which occurred on December 1 exploited a vulnerability in the withdrawal functionality of its protocol. Initial speculation about a private key leak was dismissed by the platform, which attributed the breach solely to the identified vulnerability.
The exploit targeted Clipperโs liquidity pools on the Optimism and Base chains, accounting for roughly 6% of the platformโs total value locked (TVL). The attacker attempted to extend the breach to other chains, but these attempts reportedly failed.
Following the attack, Clipper suspended swaps and deposits to mitigate further risks while maintaining restricted withdrawals. A key preventative measure involved disabling single-asset withdrawals, requiring users to withdraw proportional asset combinations instead.
Clipperโs investigation revealed that the vulnerability originated from a bundled swap-and-withdraw function. This design flaw allowed the attacker to manipulate transactions, withdrawing more assets than they had initially deposited. Reportedly, the method involved utilizing the platformโs API to execute transactions that bypassed normal controls. A suspicious transaction within Clipperโs deposit and withdrawal functions was identified as pivotal to the exploit.
โThe ability to withdraw in the form of just one token (a bundled swap + deposit/withdrawal transaction) is disabled, because that seems to have been the exploited feature,โ Clipper noted.
In response to third-party claims suggesting a private key leak, Clipper issued a statement rejecting such allegations.ย โThere have been third-party claims suggesting a private key leak. We can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper.โย
The company clarified that its security architecture remains intact and noted that no other pools or chains were impacted by the breach. Clipper emphasized that all transactions within the protocol align with its design, and the vulnerability has since been contained.
In the meantime, the exchange is conducting an in-depth review of its systems to enhance security and prevent similar occurrences. Users have been reassured that comprehensive updates will be provided as the investigation progresses.
The platform added itโs tracing the stolen funds to recover them and had further asked the hacker to contact the project if theyโre โwilling to speak.โ The first half of 2024 has seen over 200 significant hacks in the crypto industry, totalling around $1.56 billion in losses, with only $319 million recovered.
