According to the decentralized exchange Clipper, the $450,000 attack was most likely caused by a withdrawal weakness and not a leak.
Clipper, a decentralized exchange (DEX), clarified that a recent $450,000 breach of its protocol was the result of a vulnerability in its withdrawal function, rather than a private key disclosure as indicated by a “third party.”
The perpetrator exploited two liquidity pools on Dec. 1 and seized approximately 6% of its total value, according to Clipper in an X post. It also stated that the exploit had been terminated and that no other pools were impacted.
Clipper wrote, “There have been third-party claims that imply a private key breach.” “We can verify that this is not the case and is incompatible with the security architecture and design of Clipper.”
“The feature that allows for the withdrawal of a single token (a combined exchange + deposit/withdrawal transaction) has been disabled, as it appears to have been exploited,” it continued.
Chaofan Shou, the co-founder of security firm Fuzzland, had previously stated on X that Clipper was “hacked due to API vulnerability (like private key leak)” and that the API likely contained vulnerabilities that would have enabled an attacker to sign deposit and withdrawal requests and withdraw more funds than they were putting in.
Clipper has announced that it is conducting an investigation into the incident and has committed to furnishing additional information. It has suspended swaps and deposits on its protocol. It stated that withdrawals are permissible, but they must include “all assets in the pool.”
The project stated that it is currently in the process of tracing the stolen funds in order to recover them. It has requested that the exploiter contact the project if they are “willing to speak.”
According to a Nov. 28 Immunefi report, the breach has resulted in the theft of over $1.48 billion in cryptocurrency from 2024 to the end of November, a 15% decrease from the same period last year.
The creator of Clipper, Shipyard Software Inc., did not respond to a request for comment promptly outside of regular business hours. Shou was also requested to provide a comment, but he had not yet done so.
Also Read: $300 million theft forced Japanese exchange DMM Bitcoin to close
Wallets