The interoperability protocol Socket Protocol, known for enabling developers to build applications that can interact with multiple blockchains simultaneously, has revealed that it had recovered two-thirds of stolen ETH that were hacked from the protocol in a recent attack.
The attack on socket protocol took place on January 16, 2024, in which the attacker managed to exploit the cross-chain bridging platform, which affected 219 users and resulted in a net loss of around $3.3 million.
The company announced on its official X (formerly Twitter) account that it has successfully recovered 1032 Ether worth $2.3 million, about two-thirds of the stolen amount.
The company has also stated that it will release a plan for its users soon to address how the stolen funds will be distributed among those affected. Socket expressed gratitude towards on-chain analytics accounts for assisting them in recovering the stolen funds.
A hacker could steal funds by exploiting a security flaw in Socket’s protocol. The attacker used a special permission called approval granted by an Ethereum account (identified by its last digits, 97a5) to exploit this weakness. The attack only affected wallets that had given Socket unlimited access to their funds.
The good thing about this incident was that Socket could identify the bug, which the hacker could exploit, and fix it so it wouldn’t face a similar situation.
In the post made on their X (formerly Twitter) profile, Socket Protocol is seen thanking a group of researchers who helped the firm recover stolen funds.
The cross-chain interoperability protocol identified the security flaw in hours, and within 24 hours of the incident, the bridge was operational again.
The hacker exploited an over-approval vulnerability within the Socket platform, depleting assets to each user’s approved limit.
In other words, an over-approval vulnerability refers to a security weakness in a system where an attacker can exploit the approval process to exceed authorized limits or permissions.
By manipulating pre-approved balances that were not transferred, the attacker took advantage of users’ failure to cancel authorizations to retain their unused limits and prevent potential losses.
According to a report by PeckShield, a data analytics firm, the exploit stemmed from inadequate user input validation.
Users who had approved the vulnerable SocketGateway contract fell victim to the exploit, with the malicious gateway being introduced just three days before the incident.
Users were advised to revoke approvals from the address labeled “Socket: Gateway” on Etherscan. The hack’s impact extended beyond fund depletion, as phishing scammers utilized a fake Socket account to share a link to a malicious app, urging users to revoke approvals through another deceptive app.
While cross-chain bridges are crucial in facilitating interactions among decentralized protocols, they have also become prime targets for cyber attacks. Several significant decentralized finance breaches in recent years have exploited vulnerabilities in cross-chain bridges.
According to an article by Cointelegraph, cybercriminals have shifted from crypto mixers to cross-chain bridges. The article referred to information provided by blockchain forensics firm Elliptic.
Between June and July last year, a significant amount of stolen crypto was laundered through cross-chain bridges, marking a reversal from the first half of 2022.
The trend accelerated due to crime displacement, where criminals adopt new methods when existing ones face increased policing. The shift intensified after the U.S. sanctioned Tornado Cash in August 2022.
Notably, the North Korean-backed Lazarus Group utilized the Avalanche Bridge post-sanctions. Although crypto mixers briefly resurged after the RenBridge shutdown, criminals returned to cross-chain bridges due to their difficulty tracking across chains and decentralized finance’s lack of identity verification.
Elliptic estimates that $4 billion in illicit crypto has been laundered through cross-chain bridges since 2020.
