Socket says Bungee protocol exploited as as funds worth $6 million appear to be stolen
Quick Take An unknown attacker appears to have drained millions worth of stablecoins and other tokens from the bridging aggregator Bungee.
Interoperability protocol Socket said Tuesday that it had paused affected contracts after reports the Bungee bridging aggregator it develops was affected by an exploit that saw as much as $6 million stolen.
"Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts. We have identified the issue have paused the affected contracts," the project's team wrote at 3:15 p.m. ET on Tuesday.
The incident was noticed an hour earlier by an anonymous researcher who goes by Spreek on X.
"Several million already gone," Spreek wrote at 2:19 p.m. ET, pointing at the attacker's address and recommending that users to revoke approvals for Socket immediately. Around 2:47 p.m. ET, the attack seems to have stopped, they later posted .
"Think this pause fixed it, very likely no more attacks are possible. So if you are currently freaking out about revoking you can probably relax," Spreek wrote.
More than $6 million received
In a little more than one hour, the reported wallet received over $6 million in USDT, USDC and DAI stablecoins, $123,500 worth of wrapped BTC, $108,600 in wrapped ether and $132,000 of MATIC, according to Etherscan . The wallet has been sending the received funds to Uniswap, 1inch and other decentralized exchanges.
According to PeckShield, the exploit was a result of "incomplete validation of user input, which is exploited to steal funds from users who have approved the vulnerable SocketGateway contract," the researchers wrote on X.
PeckShield confirmed that at least $3.3 million had been affected.
"The bad route exploited in the hack was added 3 days ago and is now disabled," it wrote in a post on X.
"The exploiter appeared to be draining assets from users that have over-approved Socket, allow them to take funds up to the limit of their approval. To stop this users would have to revoke their approvals," The Block research director Steven Zheng said, referring to the cases in which a user allows a protocol to interact with a wallet containing more funds than is necessary for a transaction.
"For example, if you’re bridging $1,000 in funds but approved the bridge for $2,000. The remaining $1,000 of approvals you didn't use can be drained in this attack," Zheng explained.
Socket said it was continuing to work on the situation and that it would provide regular updates.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Sei Research Initiative Aims to Overcome EVM Limitations
Sei Labs and the Sei Foundation launch the Sei Research Initiative to address Ethereum Virtual Machine limitations, enhancing scalability and decentralization.
US Elections Propel $2.2B Inflows into Digital Assets, Bitcoin (BTC) Leads
The recent US elections have sparked $2.2 billion in inflows into digital assets, with Bitcoin and Ethereum witnessing significant activity, according to CoinShares.
Reimagining EVM Storage: Addressing Key Blockchain Challenges
Explore innovative solutions to optimize the Ethereum Virtual Machine (EVM) storage layer, tackling state bloat and high gas costs through advanced data structures and blockchain strategies.
Ethereum Opens Applications for Next Billion Fellowship Cohort 5
Ethereum is now accepting applications for the Next Billion Fellowship Cohort 5, a program designed to leverage blockchain technology for solving real-world challenges.