Clipper DEX Hacked Due to Withdrawal Vulnerability, $450K Lost

Key Takeaways

• The exploit targeted Clipper’s liquidity pools on the Optimism and Base chains, accounting for roughly 6% of the platform’s TVL.
•  Clipper’s investigation revealed that the vulnerability originated from a bundled swap-and-withdraw function

Decentralized exchange (DEX) Clipper recently confirmed a security breach that led to a loss of approximately $450,000. The incident, which occurred on December 1 exploited a vulnerability in the withdrawal functionality of its protocol. Initial speculation about a private key leak was dismissed by the platform, which attributed the breach solely to the identified vulnerability.

The exploit targeted Clipper’s liquidity pools on the Optimism and Base chains, accounting for roughly 6% of the platform’s total value locked (TVL). The attacker attempted to extend the breach to other chains, but these attempts reportedly failed.

Following the attack, Clipper suspended swaps and deposits to mitigate further risks while maintaining restricted withdrawals. A key preventative measure involved disabling single-asset withdrawals, requiring users to withdraw proportional asset combinations instead.

Clipper’s investigation revealed that the vulnerability originated from a bundled swap-and-withdraw function. This design flaw allowed the attacker to manipulate transactions, withdrawing more assets than they had initially deposited. Reportedly, the method involved utilizing the platform’s API to execute transactions that bypassed normal controls. A suspicious transaction within Clipper’s deposit and withdrawal functions was identified as pivotal to the exploit.

“The ability to withdraw in the form of just one token (a bundled swap + deposit/withdrawal transaction) is disabled, because that seems to have been the exploited feature,” Clipper noted.

In response to third-party claims suggesting a private key leak, Clipper issued a statement rejecting such allegations. “There have been third-party claims suggesting a private key leak. We can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper.” 

The company clarified that its security architecture remains intact and noted that no other pools or chains were impacted by the breach. Clipper emphasized that all transactions within the protocol align with its design, and the vulnerability has since been contained.

In the meantime, the exchange is conducting an in-depth review of its systems to enhance security and prevent similar occurrences. Users have been reassured that comprehensive updates will be provided as the investigation progresses.

The platform added it’s tracing the stolen funds to recover them and had further asked the hacker to contact the project if they’re “willing to speak.” The first half of 2024 has seen over 200 significant hacks in the crypto industry, totalling around $1.56 billion in losses, with only $319 million recovered.