Clipper DEX said the $450K hack was due to a withdrawal vulnerability, not a private key leak as claimed by a third party.
Clipper, a decentralized exchange (DEX), has clarified that the recent $450,000 hack of its protocol was the result of a vulnerability in its withdrawal function, rather than a private key leak as indicated by a “third party.”
In an X post on December 1, Clipper DEX disclosed that the perpetrator exploited two liquidity pools, resulting in approximately 6% of its total value being locked.
It was also noted that no other pools were impacted, and the exploit had been terminated.
Clipper DEX wrote, “There have been third-party claims that suggest a private key leak.”
“We can verify that this is not the case and is incompatible with the security architecture and design of Clipper.”
“The feature that allows for the withdrawal of a single token (a bundled swap + deposit/withdrawal transaction) has been disabled, as it appears to have been exploited,” it continued.
Chaofan Shou, the co-founder of security firm Fuzzland, previously informed X that Clipper DEX was “hacked due to API vulnerability (like private key leak)” and that the API likely contained vulnerabilities that would have enabled an attacker to sign deposit and withdrawal requests and withdraw more funds than they were putting in.
Clipper has announced that it is conducting an investigation into the incident and has committed to providing additional information.
In the interim, it has suspended swaps and deposits on its protocol. It was further stated that withdrawals are permissible, but they must be included in the pool of assets.
The project has also initiated the process of tracing the stolen funds to recover them.
It has requested that the exploiter contact the project if they are “willing to speak.”
According to a Nov. 28 Immunefi report, the breach has resulted in the theft of over $1.48 billion in cryptocurrency from 2024 to the end of November, a 15% decrease from the same period last year.
Shipyard Software Inc., the company that developed Clipper, did not promptly respond to a request for comment that was submitted outside of regular business hours.
Shou was contacted for a response.
