Clipper DEX Says Withdrawal Vulnerability Led to $450K Hack, Denies Private Key Leak

Decentralized exchange Clipper has revealed that a vulnerability in its withdrawal function enabled a $450,000 hack on its platform, refuting claims of a private key leak as alleged by external parties.

The platform confirmed in a post on X that the exploit targeted two liquidity pools on December 1, affecting around 6% of its total value locked.

Other pools were not impacted, and the exploit has since been resolved.

“There have been third-party claims suggesting a private key leak,” Clipper stated. “We can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper.”

Clipper Disables the Exploited Function

Clipper added that the ability to withdraw using a single token—a feature that combines swaps with deposit or withdrawal transactions—has been disabled, as it was identified as the exploited function.

Earlier, Chaofan Shou, co-founder of security firm Fuzzland, suggested on X that Clipper’s hack was due to an API vulnerability, potentially allowing attackers to sign unauthorized deposit and withdrawal requests.

“During the attack, the exploit involved a deposit request that acquired pool shares using a certain amount of tokens. In the same tx, those pool shares were withdrawn, but yielding a higher quantity of tokens than originally deposited,” Shou claimed.

However, Clipper’s statement challenges this narrative, emphasizing its robust security framework.

Following the incident, Clipper paused swaps and deposits while keeping withdrawals open under specific conditions: withdrawals must be executed as a mix of all assets in the pool.

The exchange is actively tracing the stolen funds and has invited the attacker to engage in communication if willing.

Statement on Clipper Security Incident Dec 1, 2024

This morning at 4am UTC Clipper’s pools on Optimism and Base were exploited for ~$450,000, roughly 6% of Clipper’s TVL. The attacker attempted to exploit other chains but was unable to do so. As a result, no other chains or…

— Clipper🏴‍☠️ (@Clipper_DEX) December 1, 2024

The hack contributes to the $1.48 billion in crypto stolen during 2024 up to November, representing a 15% year-over-year decline, according to a report by Immunefi.

Clipper is investigating the breach and promises to provide updates.

Attacks on Major Centralized Exchanges

The recent attack on Clipper comes amid a trend of increasing attacks on centralized exchanges in 2024.

Some major incidents this year include the $235 million breach of India’s WazirX exchange in July, a $52 million hack on Singapore’s BingX in September, and a $55 million exploit of Turkey’s BtcTurk in June.

More recently, XT.com, a Seychelles-based cryptocurrency exchange, paused withdrawals following reports of a suspected $1.7 million hack.

Last week, U.S. federal prosecutors charged five individuals in connection with a sophisticated hacking operation that allegedly stole $11 million in crypto and sensitive data from individuals and companies across multiple countries.

According to court filings, the alleged hackers targeted at least 29 individuals, with one victim losing over $6.3 million in cryptocurrency after their email and digital wallets were compromised.

Prosecutors claim the group also targeted 45 companies in the U.S., Canada, India, and the United Kingdom.

Among their targets was a U.S.-based cryptocurrency exchange whose employees were tricked by fake text messages into divulging sensitive credentials.