Socket Protocol suffers security breach, loses $3.3 million in cross-chain bridge hack
Socket Protocol, a cross-chain infrastructure provider for Web3 applications, has announced that it was hacked on January 17, 2024, resulting in the loss of $3.3 million worth of assets. The protocol has temporarily paused the affected smart contracts to prevent further damage.
To be crystal clear: all the affected contracts have been PAUSED.
Users don’t need to do ANYTHING.
— Socket (@SocketDotTech) January 16, 2024
According to PeckShield, a blockchain security firm, the cause of the attack was a flaw in the smart contract of Bungee Exchange, a cross-chain bridge solution developed by Socket Protocol. The contract did not validate the user input data properly, allowing the hacker to drain funds from the users who had approved the contract to access their wallets.
PeckShield also revealed that the vulnerable contract was added three days ago and has been disabled since the hack. The hacker exploited a bad route in the contract to steal funds from the users who had over-approved the contract, meaning that they had allowed the contract to interact with more funds than they intended to use for the bridge.
Today’s hack on @SocketDotTech results in the loss of >$3.3m.
— PeckShield Inc. (@peckshield) January 16, 2024
For example, if a user wanted to bridge $1,000 worth of tokens but had approved the contract for $2,000, the hacker could withdraw the remaining $1,000 from their wallet. Steven Zhang, an analyst at The Block, explained this scenario on X.
Socket Protocol said that it is investigating the incident and will provide updates and next steps for the affected users soon.
This is not the first hack that targeted crypto projects in January 2024. Earlier this month, Orbit Chain, a cross-chain bridge protocol, lost $81.5 million in a similar attack. Radiant Capital, a lending platform, was also hacked and lost $4.5 million. Gamma Protocol, a liquidity protocol, suffered a $6.3 million loss due to a flash loan attack. Moreover, several X accounts of prominent crypto entities, such as CertiK, CoinGecko, and the U.S. Securities and Exchange Commission (SEC), were hacked and posted misleading messages.
- Gamma Protocol In Negotiations With Attacker After $3.4 Million USD Hack
- CoinGecko Faces Hacking Incident On Account X, Issues Fraudulent Airdrop Announcement