Socket Loses $3.3 Million in Hack Due to Input Validation Flaw

Blockchain interoperability protocol Socket reported a security breach on Tuesday that resulted in over $3.3 million in losses. The incident impacted wallets that had granted infinite approvals to Socket contracts. It was attributed to a vulnerability in user input validation.

The exploit was linked to a specific route in the system that had been added just three days before the attack. As per blockchain security firm PeckShield, the problematic route has since been deactivated to prevent further misuse.

Socket identified the issue

In response to the breach, Socket said it has identified the vulnerability in user input validation. The hack affected its Bungee bridging aggregator.

Today's hack on @SocketDotTech results in the loss of >$3.3m.

The bad route exploited in the hack was added 3 days ago and is now disabled. Here are related txs:
– add route tx: https://t.co/lxw7iA1kn4
– disable route tx:https://t.co/QMHfI4YeuU

The hack is due to… https://t.co/QdBBgVF287 pic.twitter.com/yNxF5vCwax

— PeckShield Inc. (@peckshield) January 16, 2024

Socket acknowledged the breach and informed users of the action taken to address the situation. The company paused the affected contracts and reassured users that no further actions were needed on their part. The response aimed to limit the impact and protect user assets.

Hacken, another cybersecurity firm, confirmed that the vulnerability stemmed from a recently deployed contract. They identified the issue as an incomplete validation of user input, which allowed attackers to exploit the contracts for unauthorized fund transfers.

Meanwhile, blockchain developer Francesco Andreoli noted in a post, “Happy to report that users of @MetaMask swaps are safe from the current Socket Gateway hack. We’ll probably be writing a bit more soon about how our architecture allowed us to integrate Socket without being vulnerable to it.”

That said, the incident highlights the need for smart contract security as DeFi evolves. Not only does it call for rigorous security protocols, but decentralized applications require constant vigilance to protect user assets.

Crypto investor Ryan S. Adams, known as rsa.eth on X, shared his concerns as a “crypto native” in the context of a recent security breach. His tweets reflect the anxiety and challenges faced by individuals heavily invested in the cryptocurrency ecosystem, particularly during security incidents.

He noted, “Why can’t our wallets auto-revoke for us…why can’t they alert us when there’s an issue like this? We need protection against bugs and phishing inside our wallets.”

Also Read: Crypto Scam Alert: Hackers Exploit Fake NFT Game To Drain Funds