Bungee Bridge Suffers $3.3 Million Loss Due to Hack
Socket, the developer behind the Bungee bridge, has confirmed that their cross-chain solution was hacked, resulting in a $3.3 million loss.
Update on January 23:
In a recent announcement on the afternoon of January 23, Socket revealed that they have recovered 1,032 ETH (valued at $2.3 million) from last week's incident.
FUND RECOVERY UPDATE
— Socket (@SocketProtocol) January 23, 2024
We have successfully recovered 1032 ETH from the funds involved in the incident on 16th Jan.
We will release a recovery & distribution plan for users soon.
Big shoutout to everyone who helped us from Seal911, Slowmist, Hexagate, & others:@samczsun…
The project will soon disclose a compensation plan for the affected victims.
Original Article:
In the early hours of January 17, Socket announced that they had temporarily suspended the affected smart contracts due to the security breach of Bungee Exchange, their cross-chain bridge solution.
Urgent
— Socket (@SocketProtocol) January 16, 2024
Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts.
We have identified the issue & have paused the affected contracts.
We’re working on the situation & will keep you informed with regular updates & next steps.
According to security firm PeckShield, the attack was caused by insufficient input validation in Bungee's smart contract, which hackers exploited to drain funds from users who had approved the contract.
The vulnerable smart contract was added three days prior to the incident and has since been disabled, PeckShield added.
Today's hack on @SocketDotTech results in the loss of >$3.3m.
— PeckShield Inc. (@peckshield) January 16, 2024
The bad route exploited in the hack was added 3 days ago and is now disabled. Here are related txs:
- add route tx: https://t.co/lxw7iA1kn4
- disable route tx:https://t.co/QMHfI4YeuU
The hack is due to… https://t.co/QdBBgVF287 pic.twitter.com/yNxF5vCwax
Steven Zhang, an analyst at The Block, explained that the vulnerability allowed hackers to drain funds from user wallets based on their approval limits. For instance, if a user intended to transfer $1,000 via Bungee but had previously approved a transaction limit of $2,000, the hacker could still withdraw the remaining $1,000 from the wallet.
Socket is currently investigating the incident and will provide updates to affected users soon.
January 2024 has witnessed several attacks targeting crypto projects, including the Orbit Chain bridge ($81.5 million), lending platform Radiant Capital ($4.5 million), liquidity protocol Gamma Protocol ($6.3 million), and hacks on X (Twitter) accounts of CertiK, CoinGecko, and the U.S. Securities and Exchange Commission (SEC).
