Hack Explained - Socket

Hack Explained - Socket


1 min read

Socket Protocol, a cross-chain bridging service, faced a significant security breach leading to the loss of $3.3 million in it's Bungee bridge. This hack exploited a newly deployed contract and exposed weaknesses in the protocol's smart contract.

Behind the Breach

The attack occurred on January 16, 2024. The Attacker targeted wallets that had granted infinite approvals to Socket contracts exploiting a recently added route to their bridging contract. This route did not properly validate the πšœπš πšŠπš™π™΄πš‘πšπš›πšŠπ™³πšŠπšπšŠ parameter, enabling an attacker to inject a πšπš›πšŠπš—πšœπšπšŽπš›π™΅πš›πš˜πš– call. This allowed the attacker to transfer approved assets from victim addresses to their own.

Attacker’s address: 0x50df5a2217588772471b84adbbe4194a2ed39066

Affected contract: 0x3a23f943181408eac424116af7b7790c94cb97a5

The Aftermath

In the wake of the attack, Socket Protocol acted swiftly to contain the breach by pausing the affected contracts. It is worth noting that thorough auditing processes as well as limiting the scope of approvals could significantly reduce the risk of similar incidents happening again.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.