- Blockbasis
- Posts
- Socket: $3.3M Loss and Security Lessons
Socket: $3.3M Loss and Security Lessons
Socket Bridge Security Breach: Delving into the $3.3M Loss, Exploring Critical Vulnerabilities in Newly Added Contract Routes, Lessons in Crypto Security, and Why Regular Approval Reviews Are Imperative
Blockbasis
January 16, 2024
TL;DR
The Socket Bungee bridge suffered a $3.3M loss due to a vulnerability in a newly added contract route. Despite audits by Peckshield and Consensys Diligence, the exploit was missed. Users are advised to review and revoke token approvals regularly to mitigate such risks.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
In a significant financial blow, Socket's Bungee bridge suffered a $3.3M loss due to a recent attack targeting addresses that had previously authorized the SocketGateway contract on the Ethereum blockchain.
Following the breach, Socket's team swiftly responded, acknowledging the security compromise and implementing a fix just 14 minutes after the incident came to light.
Urgent
Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts.
We have identified the issue & have paused the affected contracts.
We’re working on the situation & will keep you informed with regular updates & next steps.
— Socket (@SocketProtocol)
8:05 PM • Jan 16, 2024
Rainbow, a popular wallet provider utilizing Socket’s contracts for its in-app bridging function, promptly notified its users of the breach. They advised affected users to verify their addresses and revoke approvals using RevokeCash’s specialized tool.
The incident underscores the persistent threat facing bridges in the crypto ecosystem, exemplified by the recent $80M New Year’s Eve attack on Orbit. Security experts emphasize the critical need for rigorous scrutiny of bridge operations, particularly during updates, to mitigate risks posed by malicious actors.
The incident raises questions about the oversight that allowed a known vulnerability to impact a live bridge operation.
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
The breach stemmed from a critical oversight in validating user input within a newly added route to the bridging contract, implemented just three days before the attack.
Specifically, the vulnerable route’s contract failed to validate the swapExtraData parameter. This lapse enabled attackers to exploit the contract by injecting a transferFrom call, effectively diverting approved assets from victim addresses to their own attack contract.
According to cybersecurity firm Beosin, the vulnerability arose because the contract did not account for scenarios where the caller could transfer 0 WETH. This oversight allowed malicious actors to specify alternative functions within the call while bypassing the balance check intended to prevent unauthorized transfers.
The attacker responsible for the breach operates from address 0x50df5a2217588772471b84adbbe4194a2ed39066, targeting the SocketGateway contract at 0x3a23f943181408eac424116af7b7790c94cb97a5.
Despite audits by Peckshield and Consensys Diligence, neither review covered the newly added route exploited just three days prior to the incident, exposing a critical vulnerability in Socket's contracts.
The stolen funds, comprising ETH, MATIC, WBTC, WETH, and DAI, amount to approximately $3.3M and remain in possession of the attacker.
The funds taken are still held in the attacker's address, where a threatening message has been received demanding payment to prevent doxxing:
"Send 100 ETH and I will discard the timing analysis route via FixedFloat that reveals your identity. After 6 hours, I will approach Zach. Time is of the essence."
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
Infinite approval issues resurface.
Although Bungee clarified that “Bungee doesn't automatically request infinite approvals,” other protocols using the affected contract must prioritize user interface alongside security considerations
Otherwise, it's difficult to comprehend how so many users could be left vulnerable.
With the largest loss exceeding $600K and the five most affected victims each losing over $100K, this incident serves as a costly lesson in managing approvals securely.
Without regular review and revocation processes, token approvals remain exposed, susceptible to exploitation by live or forgotten projects. Since tokens are stolen directly from users' wallets, no additional deposits are necessary to become a victim.
However, all of this could have been prevented by avoiding risky, unaudited upgrades to existing bridge contracts.
Anonymous reader, have you reviewed your approvals recently?
Instantly calculate the time you can save by automating compliance
Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.