Clipper DEX Attributes $450K Hack to Withdrawal Vulnerability, Denies Private Key Leak

fiverr
A graphical illustration of a decentralized exchange hack emphasizing a $450,000 loss due to a withdrawal vulnerability.
Changelly

Denies Private Key Leak Overview of the hack Decentralized exchange Clipper explained that a hack that siphoned $450,000 was due to a withdrawal vulnerability and not a leak in the private key. The exploit had taken place on Dec. 1 by an attacker who targeted two liquidity pools and drained 6% of the total value locked on the platform. Other pools weren’t affected.

In an X post, Clipper explained that the vulnerability was tied to a feature allowing for withdrawals via a bundled swap and deposit/withdrawal transaction. That feature has now been disabled to prevent further incidents.

Security Claims and Counterclaims

The first theory of a private key leak came from Chaofan Shou, co-founder of security firm Fuzzland. Shou speculated the attack involved an API vulnerability that could simulate a private key compromise, which enabled unauthorized signing of deposit and withdrawal requests.

Clipper has categorically denied this claim, saying: “There have been third-party claims suggesting a private key leak. We can confirm this is not the case and is inconsistent with the design and security architecture of Clipper.” In other words, the platform said this was impossible because of its internal security measures.

Immediate Actions Taken

After the hack, Clipper paused swaps and deposits on its protocol. Withdrawals remain open but are only allowed in mixed asset transactions to minimize risk. The exchange has also started tracing the stolen funds and called on the hacker to return the assets and start contact.

bybit

The project has assured users that investigations are ongoing and promised updates in due time. Meanwhile, Clipper’s creator, Shipyard Software Inc., has not released any statements on the matter.

Broader Context of Crypto Exploits

The Clipper hack adds to a series of crypto exploits in 2024. A report by Immunefi reveals that $1.48 billion in crypto has been stolen this year through November, a 15% decrease compared to the same period in 2023. Despite the decline, high-profile incidents like this highlight ongoing vulnerabilities in the decentralized finance (DeFi) space.

Meanwhile, Clipper has expressed its commitment to enhancing its platform’s security and rebuilding the lost trust among users through investigations.

Binance