On February 16, 2023, a hacker exploited a vulnerability in the Socket Finance protocol to steal over $4.6 million in ETH. However, thanks to the quick action of a white hat hacker, most of the stolen funds were recovered within 24 hours. A recent update by the Socket team says that most of the funds have been retrieved.
The vulnerability was in the Socket Finance contract, which allowed the hacker to mint an unlimited number of Socket tokens. The hacker then used these tokens to drain the protocol’s liquidity pool, which contained over $4.6 million in ETH.
However, a white hat hacker identified as “samczsun” discovered the vulnerability shortly after it was exploited. Samczsun was able to contact the Socket Finance team and help them deploy a fix that prevented the hacker from stealing any more funds.
Samczsun also helped the Socket Finance team track down the stolen ETH. The team was then able to negotiate with the hacker and recover all but $1 million of the stolen funds.
Socket, a protocol that enables cross-chain bridges, has announced that it has reclaimed most of the funds that were siphoned off by a hacker in a recent attack.
The protocol’s official X account stated that it has retrieved 1,032 Ether, which is equivalent to $2.3 million of the $3.3 million that were stolen. The protocol plans to release a recovery and distribution plan for the affected users soon.
Socket Expresses Gratitude to On-chain Analytics Accounts
Socket also expressed its gratitude to several on-chain analytics accounts for their assistance in retrieving the funds.
The hacker executed the attack on Jan.16 by using a token approval from an Ethereum address that ends with 97a5. The attack targeted the wallets that had unlimited approvals to Socket contracts.
Restores Normal Operations within 24 Hours
The attack resulted in net losses of around $3.3 million for 219 users. The protocol was able to detect and fix the bug within hours of the attack, and the bridge resumed its normal operation within 24 hours.
The hacker exploited the over-approval vulnerability of the Socket platform to drain assets until the authorized limit of each user was reached. The hacker took advantage of the pre-approved balances that were not bridged. Users could have prevented losing these unused limits by canceling their authorization.
PeckShield Discovers Flaw in SocketGateway Contract
PeckShield, a data analytics firm, reported that the attack was caused by an insufficient validation of user input, where users who had approved the compromised SocketGateway contract became victims of the attack.
The security firm also noted that the malicious gateway was added three days before the attack. Users were advised to revoke their approvals from this address, which appears as “Socket: Gateway” on Etherscan.
The attack did not only involve the initial theft of funds.
The X post from Socket also revealed that phishing scammers used a fake Socket account to post a link to a malicious app and encouraged users to revoke their approvals using another malicious app.
Cross-chain bridges or interoperability protocols are essential for facilitating the interaction of different decentralized protocols; however, they have also become a frequent target for hackers. Some of the biggest decentralized finance attacks in the past few years have happened on cross-chain bridges.