Introduction
Socket, an interoperability protocol, also known as a cross-chain bridge protocol, was exploited for $3.4M in a confirmed approval exploit. The protocol serves numerous Web3 applications such as Synthetix, Lyra, Kwenta, Superform, Plasma Finance, and Level Finance.
Summary
On January 16, 2024, the Socket cross-chain bridge protocol suffered a $3.4 million exploit due to a vulnerability in its approval mechanism. The attacker siphoned funds in USDT, USDC, MATIC, and DAI from individuals who had previously granted unlimited approvals to the SocketGateway contract. The team immediately paused the smart contracts.
A look at the hacker’s wallet using Etherscan.
Event Timeline
7:11 PM UTC
- The attack commences with the attacker executing the first exploit transaction, siphoning user funds.
7:13 PM UTC
- Within two minutes, the attacker launches a second exploit transaction, further draining funds.
7:19 PM UTC
- Alarms are raised as the Socket team receives notifications from users and the Hexagate system, alerting them to the ongoing attack.
7:25 PM UTC
- Swift action is taken to contain the damage. The Socket team pauses the affected contract, halting the attacker’s ability to steal additional funds. Simultaneously, a War Room is established, uniting security experts to investigate the incident’s details.
7:29 PM UTC
- A focused investigation yields results as the team pinpoints the root cause: an unverified contract call within the WrappedTokenSwapperImpl module exploited to transfer user tokens.
8:05 PM UTC
- Transparency takes center stage as Socket initiates external communications, informing the public of the incident via Twitter.
9:22 PM UTC
- In a proactive move, the Socket Admin wallet sends an on-chain message to the attacker, initiating contact in hopes of negotiating the recovery of stolen funds.
Identification of Vulnerability
The root cause of the exploit was traced to the WrappedTokenSwapperImpl contract, a recent addition to the Socket protocol.
Within WrappedTokenSwapperImpl, the performAction() function lacked proper validation of swapExtraData before invoking the target with data. This oversight allowed attackers to craft malicious payloads, exploiting transferFrom() to siphon funds from users who had granted unlimited approvals to the SocketGateway contract.
To initiate the exploit, the attacker leveraged the fallback mechanism inside SocketGateway, which dynamically routes calls to other contracts, allowing them to call performAction(). With access to this capability and the control offered by the unvalidated swapExtraData, the attacker systematically drained funds from other users, accumulating more than $3 million.
Image credit: Socket team
Attack Vector
- Crafted payload to invoke transferFrom() within performAction().
- Triggered performAction() using fallback function in SocketGateway.
- Repeatedly drained funds from approved users.
Mitigation Efforts
The Socket Admin promptly paused the vulnerable contract in response to the incident, curbing further exploitation.
Hope for Recovery: Reaching Out to the Hacker
In a move aimed at mitigating the impact of the exploit, the Socket team directly attempted to recover the stolen funds by reaching out to the attacker on-chain at 9:22 PM UTC. This message, sent through the Socket Admin wallet, was an open invitation for dialogue and a potential path toward returning the compromised funds.
However, as of now, the hacker has yet to respond to this outreach.
Translation (from Mandarin to English): We understand you are responsible for the Socket attack. We want to discuss a bounty with you and return most of the funds to affected users. Contact us via blockscan chat. You have 12 hours.
Lessons Learned
Thorough security audits:
- Rigorously examine smart contracts for vulnerabilities, especially in approval mechanisms.
Defensive coding:
- Implement robust input validation and access controls.
Incident response preparedness:
- Establish clear procedures for rapid response and mitigation.
Bug bounty:
- Protocols should have a bug bounty program to engage maximum eyes on their on-chain assets.
Recommendations
- Projects using Socket should assess exposure and take necessary precautions.
- Users should review token approvals and revoke unnecessary permissions.
- Cross-chain bridge developers should prioritize security best practices.
Conclusion
The Socket exploit highlights the ongoing challenges in securing cross-chain bridges. As the blockchain ecosystem expands, emphasizing cross-chain bridge security measures and user education is crucial to protect funds and maintain trust in these critical infrastructures.
About Olympix
Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.
Join our beta program now to fortify your smart contracts and proactively shield them from exploits in the evolving landscape of Web3 security.
Connect with us on
Twitter | LinkedIn | Discord | Medium | Instagram | Telegram | Substack
