Socket says Bungee protocol exploited as funds worth at least $3.3 million appear to be stolen

Quick Take

  • An unknown attacker appears to have drained millions worth of stablecoins and other tokens from the bridging aggregator Bungee.

Interoperability protocol Socket said Tuesday that it had paused affected contracts after reports the Bungee bridging aggregator it develops was affected by an exploit that saw as much as much as $3.3 million stolen.

"Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts. We have identified the issue & have paused the affected contracts," the project's team wrote at 3:15 p.m. ET on Tuesday.

The incident was noticed an hour earlier by an anonymous researcher who goes by Spreek on X.

"Several million already gone," Spreek wrote at 2:19 p.m. ET, pointing at the attacker's address and recommending that users to revoke approvals for Socket immediately. Around 2:47 p.m. ET, the attack seems to have stopped, they later posted.

"Think this pause fixed it, very likely no more attacks are possible. So if you are currently freaking out about revoking you can probably relax," Spreek wrote.

More than $3.3 million affected

According to PeckShield, the exploit was a result of "incomplete validation of user input, which is exploited to steal funds from users who have approved the vulnerable SocketGateway contract," the researchers wrote on X.

PeckShield confirmed that at least $3.3 million had been affected. 

"The bad route exploited in the hack was added 3 days ago and is now disabled," it wrote in a post on X. 

"The exploiter appeared to be draining assets from users that have over-approved Socket, allow them to take funds up to the limit of their approval. To stop this users would have to revoke their approvals," The Block research director Steven Zheng said, referring to the cases in which a user allows a protocol to interact with a wallet containing more funds than is necessary for a transaction. 

"For example, if you’re bridging $1,000 in funds but approved the bridge for $2,000. The remaining $1,000 of approvals you didn't use can be drained in this attack," Zheng explained. 

Socket said it was continuing to work on the situation and that it would provide regular updates.

(Corrects story with figures on affected funds from PeckShield.)


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Anna is a senior policy reporter at The Block. She has a background in political journalism and covered Russian civil society for a range of news outlets in Moscow, including the award-winning newspaper Novaya Gazeta. Before joining The Block, Anna spent the past five years investigating cryptocurrency policies and adoption around the world at CoinDesk. Anna owns bitcoin and a gift NFT of sentimental value.

Editor

To contact the editor of this story:
Nathan Crooks at
[email protected]