Decentralized exchange (DEX) Clipper clarified that a vulnerability in its withdrawal function allowed a recent $450,000 hack of its protocol, rather than a private key leak as suggested by a “third-party.”
Clipper said in an X post that the attacker exploited two liquidity pools on Dec. 1 and took about 6% of its total value locked. It added that no other pools were affected and the exploit had ended.
“There have been third-party claims suggesting a private key leak,” Clipper wrote. “We can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper.”
“The ability to withdraw in the form of just one token (a bundled swap + deposit/withdrawal transaction) is disabled, because that seems to have been the exploited feature,” it added.
Earlier, the co-founder of security firm Fuzzland, Chaofan Shou, had posted on X that Clipper was “hacked due to API vulnerability (like private key leak)” and added the API likely had vulnerabilities that allowed an attacker to sign deposit and withdrawal requests and pilfer more funds than they were putting in.
Source: Chaofan Shou
Clipper said it is investigating the incident and promised to provide further updates. It has paused swaps and deposits on its protocol. Withdrawals are open, but they “must be in the mix of all assets in the pool,” it said.
Related: Spectral Labs identifies Syntax vulnerability, pauses contracts
The project said that it’s tracing the stolen funds in an attempt to recover them and had asked the exploiter to contact the project if they’re “willing to speak.”
The hack adds to the over $1.48 billion worth of crypto that’s been stolen in 2024 to the end of November, a 15% decrease compared to the same period last year, according to a Nov. 28 Immunefi report.
Clipper’s creator, Shipyard Software Inc., did not immediately respond to a request for comment outside of normal business hours. Shou was also asked to comment and had yet to respond.
Magazine: Legal issues surround the FBI’s creation of fake crypto tokens