Clipper DEX Clarifies $450K Hack, Denies Private Key Leak

Decentralized exchange (DEX) Clipper has provided an update regarding the recent hack of its platform, which resulted in the theft of $450,000 worth of cryptocurrency. The DEX clarified that the attack was caused by a vulnerability in its withdrawal function, rather than a private key leak as suggested by third-party sources.

Hack Details

The hack occurred on December 1, when an attacker exploited vulnerabilities in two liquidity pools on Clipper. The exploit resulted in the theft of approximately 6% of the total value locked (TVL) on the platform. However, Clipper emphasized that no other pools were affected, and the exploit was swiftly contained.

In a statement released on X (formerly Twitter), Clipper responded to third-party claims suggesting that the breach was the result of a private key leak. The exchange confirmed that these claims were inaccurate and inconsistent with its security architecture. Clipper explained that the vulnerability stemmed from an issue with the platform’s withdrawal function, which allowed the attacker to withdraw funds as a single token through a bundled swap and deposit/withdrawal transaction. As a precautionary measure, Clipper has disabled this feature to prevent further attacks.

Misleading Claims

The confusion surrounding the hack arose from a tweet by Chaofan Shou, co-founder of security firm Fuzzland. Shou had initially speculated that the hack resulted from an API vulnerability, which he suggested could be linked to a private key leak. He further claimed that the API flaw might have allowed the attacker to manipulate deposit and withdrawal requests, enabling them to steal more funds than they deposited.

Clipper swiftly responded to these claims, stating that no private key leak had occurred and assuring its users that the security of the platform had not been compromised in that manner. The company reiterated that the vulnerability was related to the withdrawal function and not an API-related issue.

Current Status

Following the incident, Clipper paused swaps and deposits on its platform while the team conducts an investigation into the hack. Withdrawals have been resumed but are limited to assets that are part of the total pool mix. The team is actively working to trace the stolen funds and has invited the hacker to come forward if they are willing to engage in a conversation.

Broader Impact

This hack adds to the growing list of security breaches within the cryptocurrency industry. According to a report from Immunefi, over $1.48 billion worth of cryptocurrency has been stolen in 2024, marking a 15% decrease compared to the same period in 2023.

Next Steps

Clipper has committed to providing further updates as the investigation continues. The team is focused on improving its platform’s security and ensuring that similar vulnerabilities do not arise in the future. Shipyard Software Inc., the company behind Clipper, has yet to respond to requests for additional comments.

This hack serves as a reminder of the ongoing security challenges faced by decentralized exchanges and the broader cryptocurrency space. As the investigation unfolds, Clipper’s response will be closely watched by users and security experts alike.