- Clipper DEX clarifies $450K hack was caused by a vulnerability in its withdrawal system, not a private key leak.
- On December 1, an attacker exploited two liquidity pools, draining 6% of total value locked, but no other pools were affected.
- Clipper pauses protocol to fix API vulnerability, ensuring no further losses while strengthening platform security.
Clipper a decentralized exchange (DEX) has provided details of a recent $450,000 hack incident that took place recently. The team then found out that the cause of the issue was a hole in the withdrawal system and not the private key leak that a third party alleged.
On December 1, the attacker targeted two distinct liquidity pools on X, Clipper’s team explained in the post on X. Nonetheless, the team wanted to reassure the users that no other pools were compromised and that the exploitation had been stopped and closed.
Clipper Smart Contract Vulnerability
The situation forced exchange to temporarily halt its protocol to enable the team determine the cause of the occurrence and ensure the platform’s safety. The team that carried out the attack has made a detailed explanation of the attack step by step so that the users can know the extent of the attack.
At the centre of the exploit was a weakness in Clipper’s smart contract. The contract uses an API to vet deposit and withdrawal requests before any transaction can take place. This mechanism is designed to enable the movement of pool shares or tokens in accordance with user’s order.
Source: Image by Clipper
However, the attacker was able to exploit the system in some way during the attack of the system. The attacker submitted a deposit request that involved the acquisition of pool shares and a specific number of tokens; the attacker was then able to withdraw the pool shares, but, in doing so, received more tokens than were initially deposited into the pool.
Clipper Team Working on Fixes
According to Clipper’s team, the issue is most probably related to the API which might have confirmed wrong deposit and withdrawal transactions. This made the attacker to use the protocol in a way that he or she would be gradually draining the funds from the targeted liquidity pool.
However, platfrom pointed out that the attacker did not get the private key to sign the requests and this would have been worse. If the attacker had obtained the private key he could have stolen all the funds in one transaction instead of using flash loans to hack the system gradually.
The team is still working on the case and is currently working on fixing the vulnerability and improving the protocol to prevent further attacks. At the same time, Clipper has stopped its platform to avoid further losses and strengthen all the security aspects. The Clipper team is doing everything in its capacity to regain the confidence of the users together with protecting the funds, and posting frequent updates in the process.