Socket Tech security breach affects multiple dapps and wallets
The bridging protocol is integrated into other services, but only for users granting unlimited approval
Cross-chain infrastructure protocol Socket.Tech suffered an exploit on Jan. 16, affecting various Web3 apps.
The attack targeted the Bungee Exchange, a frontend to the Socket Protocol which bridges between Ethereum and 12 EVM chains, resulting in a loss of about $3.3 million.
A hacker exploited a vulnerability in the SocketGateway part of the system, which allowed them to take money from users who had given permission to that component, without the users’ knowledge or consent.
Only a subset of users who interacted with a vulnerable bridging route added to the protocol in recent days and granted the gateway access to an unlimited amount of tokens were affected — about 200 victims based on a dashboard created on Dune Analytics.
The attacker, whose wallet was funded from privacy-preserving exchange FixedFloat, essentially found a weak spot in how the system checked and processed user data, using this to illicitly access and transfer funds.
The route was subsequently disabled to prevent further exploitation, and service to the protocol was restored after about 6 hours.
In addition to Bungee, Socket’s bridging protocol is employed by third-party dapps such as wallets from Rainbow and Zeal, however both these prevented downstream effects by only invoking approvals for specific asset values in a transfer — which is considered best practice.
The Socket team has promised a full post-mortem analysis, and said its other “top priorities” are “doing right by our users” and “recovery of funds.”
“We are deeply sorry for the turbulence caused,” they said.
Updated Jan. 26 at 6:35 am ET: The estimated tally of victims was revised lower after publication, closer to 200 than 700 as initially reported.
Don’t miss the next big story – join our free daily newsletter.