:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/EU6XV4L3JJBOJEADYGG6OW5R6M.jpg)
- Over 200 wallets have lost funds after interacting with crypto bridge aggregator Bungee.
- Those who previously sent tokens via the bridge's Socket protocol route on Ethereum were affected.
A bug in the underlying technology that powers parts of crypto bridge aggregator Bungee has just cost its users a combined $3.3 million.
At approximately 8:11 pm London time on Tuesday, over 200 wallets that had previously used Bungee’s Socket route to send tokens on Ethereum began to see their funds drained from them.
Tayler Melvin, team hospitality lead at Socket, said in the Socket Discord server the project had “experienced a security incident which affected wallets with infinite approvals to Socket contracts.”
The vast majority of the stolen tokens — over $2.9 million — were converted into Ether. Smaller amounts of Polygon’s Matic token, wrapped versions of Bitcoin and Ethereum, and MakerDAO’s Dai stablecoin remain in the hacker’s wallet.
After noticing the attack, Socket, the project that manages the Bungee bridge’s underlying technology, paused the smart contract that was being exploited.
“Whomever responsible can no longer do any further damage, we’ve paused everything,” Melvin said.
Socket is an interoperability protocol that allows data and asset transfers across chains. Bungee is a bridge aggregator built using Socket’s technology by the same team.
The incident is the latest in a long list of bridge hacks that have plagued DeFi in recent years.
Previous approvals
Pseudonymous security researcher officercia told DL News that the bug had inadvertently been deployed by Socket three days prior in a new smart contract.
It allowed the hacker to target those who had previously used the Bungee bridge to send tokens from Ethereum to other blockchains.
When bridging tokens, users often have to first sign a separate transaction allowing the bridge to spend their funds.
In the case of Socket, as well as many other DeFi protocols, this approval is often set to allow the protocol requesting it to spend a much higher amount of tokens than required for the bridging transaction.
The hacker was able to exploit these approvals to drain tokens from victims’ wallets without them having to sign another transaction.
“This is a good time to start a new habit — revoke approvals afterwards,” officercia said.
Transactions that let a DeFi protocol spend a user’s funds can be revoked using websites such as revoke.cash.
If those who had granted Socket the ability to spend their funds had revoked the permissions after bridging, they would have prevented the hacker from stealing their crypto.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
Ryan Celaj is DL News’ New York-based Data Correspondent. Reach out with tips at ryan@dlnews.com.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/VPI3FFRAARHYBCLM6CCDDLDPAA.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/EIW2H7D5IBAZRLYGY2XCBR6HGA.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/65DXLBM7VRF2JFVWH2AUL74BEM.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/XQ7KZR2EFRD7NNBTIQ3HSYEVCQ.jpg)