Decentralized exchange (DEX) Clipper recently clarified the details surrounding a security breach that resulted in the theft of $450,000 from its protocol. The attack, which occurred on December 1, exploited a vulnerability in Clipper’s withdrawal function, not a private key leak as initially suggested by a third-party.
In an update posted on X (formerly Twitter), Clipper explained that the hacker took advantage of two liquidity pools, stealing roughly 6% of the platform’s total value locked (TVL). The exploit was confined to these two pools, and no other assets were affected. The protocol assured users that the exploit had been resolved.
The hack led to speculation from outside security experts about the potential cause of the breach. Chaofan Shou, co-founder of security firm Fuzzland, initially suggested that the vulnerability was linked to a private key leak, implying that the API may have been compromised, allowing the attacker to sign unauthorized deposit and withdrawal requests.
However, Clipper swiftly debunked these claims, stating that a private key leak was not the cause. They explained that the exploit was tied to the ability to withdraw funds in a single token through a combined swap and deposit/withdrawal transaction, a feature now disabled as a result of the attack. Clipper emphasized that this issue was inconsistent with the platform’s design and security architecture.
“There have been third-party claims suggesting a private key leak. We can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper,” the platform stated.
In response to the attack, Clipper has taken a number of precautionary measures to mitigate further risk. The platform temporarily paused swaps and deposits on its protocol while leaving withdrawals open, albeit with new restrictions. Withdrawals are now only allowed in the form of a mix of all assets in the affected pools, rather than individual tokens.
The Clipper team confirmed that it is actively investigating the incident and is working to trace the stolen funds in hopes of recovering them. They have also made a public appeal to the attacker, urging them to contact the project if they are willing to engage in a conversation.
This latest hack adds to the growing list of crypto security breaches in 2024, which have collectively seen over $1.48 billion worth of digital assets stolen as of November 28. Despite this, the total value stolen so far this year represents a 15% decrease compared to the same period in 2023, according to a recent report from Immunefi.
While the exact financial impact of the Clipper hack remains to be fully understood, the project’s response has highlighted the importance of securing decentralized platforms against evolving threats. As Clipper continues to investigate the incident, the broader crypto community is reminded of the risks that come with decentralized finance (DeFi) and the need for robust security measures.
Shipyard Software Inc., the creator of Clipper, did not respond to a request for comment outside of regular business hours, nor did Chaofan Shou, the security expert, when asked for additional insights into the breach.
The incident serves as a reminder of the vulnerabilities that still exist in the rapidly developing DeFi ecosystem, and the need for continued vigilance and improvement in security protocols.
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up