Clipper DEX Clarifies Security Breach, Confirms API Vulnerability Behind $450,000 Exploit

Clipper has issued a clarification regarding a recent security breach that resulted in the theft of approximately $450,000 from its pools. The attacker was able to exploit a flaw in the withdrawal process, stealing roughly 6% of Clipper’s TVL at the time.

More articles

Meghna Chowdhury
Meghna Chowdhury
Meghna is a Journalism graduate with specialisation in Print Journalism. She is currently pursuing a Master's Degree in journalism and mass communication. With over 3.5 years of experience in the Web3 and cryptocurrency space, she is working as a Senior Crypto Journalist for UnoCrypto. She is dedicated to delivering quality journalism and informative insights in her field. Apart from business and finance articles, horror is her favourite genre.

Decentralized exchange (DEX) Clipper has issued a clarification regarding a recent security breach that resulted in the theft of approximately $450,000 from its pools.

In a statement on December 1, 2024, the platform addressed rumours circulating about a possible private key leak and confirmed that the hack was due to a vulnerability in its withdrawal function.

How Did the Exploit Happen?

The exploit, which occurred at 4 a.m. UTC on the morning of December 1, targeted Clipper’s pools on the Optimism and Base networks. The attacker was able to exploit a flaw in the withdrawal process, stealing roughly 6% of Clipper’s total value locked (TVL) at the time. 

The hacker attempted to exploit other chains but was unsuccessful, meaning that the impact was limited to the two affected pools. Clipper confirmed that the exploit was no longer ongoing and assured users that the situation was under control.

In response to the hack, Clipper temporarily paused swaps and deposits across all supported chains. This action was taken to ensure that further vulnerabilities could be identified and addressed while the investigation was underway. 

However, the platform emphasized that withdrawals remained functional. Since Clipper is a noncustodial platform, it cannot block users from withdrawing their funds. Although, due to the nature of the exploit, withdrawals are now only possible if they involve a mix of assets from the pool. 

Clipper Denies News on Private Key Leak

The option to withdraw a single token, which previously allowed a bundled swap and deposit/withdrawal transaction, was disabled after it was identified as the exploited feature.

Clipper also responded to claims from third-party sources suggesting that the hack was due to a private key leak. 

These claims were made by Chaofan Shou, the co-founder of the security firm Fuzzland, who posted on X (Twitter) that Clipper had been hacked due to an API vulnerability. Shou suggested that flaws in the API could have allowed the attacker to sign deposit and withdrawal requests, enabling them to withdraw more funds than they had deposited. 

However, Clipper clarified that these claims were inaccurate and inconsistent with the platform’s security architecture. The team confirmed that the hack was not related to any private key compromise, but rather a vulnerability in the withdrawal process.

As part of its response, Clipper has initiated an investigation into the incident and is working to trace the stolen funds to recover them. The platform also appealed directly to the attacker, offering an opportunity to come forward and contact Clipper to resolve the matter.

Despite the setback, Clipper remains committed to transparency and ensuring the security of its protocol. The team pledged to provide further updates as more information becomes available and as they continue their investigation into the exploit. Users have been urged to stay updated through official channels, as the platform works to restore full functionality and bolster its security.

The incident highlights the ongoing risks and challenges faced by decentralized platforms, underscoring the importance of robust security measures to protect user assets. As Clipper works to address the vulnerability, it serves as a reminder of the need for continuous vigilance and improvement in the rapidly evolving world of DeFi.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest