Socket Cross-Chain Protocol Loses $3.3 Million in Exploit

The team behind the cross-chain bridge aggregator Socket reported an attack resulting in a $3.3 million loss for the protocol.

Urgent

Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts.

We have identified the issue & have paused the affected contracts.

We’re working on the situation & will keep you informed with regular updates & next steps.

— Socket (@SocketDotTech) January 16, 2024

“Socket has experienced a security incident affecting wallets with infinite contract approvals. We have identified the issue and paused the affected contracts,” the developers wrote.

They advised users to revoke all approvals for security reasons.

The exploit was initially discovered by a researcher known as Spreek.

Socket/Bungee approval being exploited rn. several million already gone. attack is ongoing pic.twitter.com/8C25GBPeuo

— Spreek (@spreekaway) January 16, 2024

“Several million already gone. Attack is ongoing,” he noted, providing the attacker’s address.

He also advised revoking approvals but urged caution and the use of only verified links.

Less than an hour later, the expert noted that transactions to the hacker’s wallet had ceased.

“I think this pause has fixed the situation, and attacks are likely no longer possible. So, if you’re worried about revoking now, you can probably relax,” Spreek concluded.

According to PeckShield experts, the exploit resulted from “incomplete verification of user input data,” which was used to steal funds from those who approved the vulnerable SocketGateway contract.

Today’s hack on @SocketDotTech results in the loss of >$3.3m.

The bad route exploited in the hack was added 3 days ago and is now disabled. Here are related txs:
— add route tx: https://t.co/lxw7iA1kn4
— disable route tx:https://t.co/QMHfI4YeuU

The hack is due to… https://t.co/QdBBgVF287 pic.twitter.com/yNxF5vCwax

— PeckShield Inc. (@peckshield) January 16, 2024

The attacker created a route for the attack three days before the incident by deploying a contract.

In 2023, the crypto industry lost $1.8 billion due to hacking and fraud.