Decentralized exchange (DEX) Clipper experienced a security incident at 4 am UTC on December 1, targeting its liquidity pools on Optimism and Base.
Chaofan Shou, co-founder of security firm Fuzzland, initially attributed the exploit to a private key leak, allowing the attacker to authorize deposit and withdrawal transactions. Clipper, however, has refuted this explanation, stating that its security model is specifically designed to safeguard against such issues.
The Exploit
According to the latest update by Clipper, the attack resulted in the loss of approximately $450,000, representing around 6% of its total value locked (TVL). While the attacker tried to exploit other chains, these attempts were unsuccessful, leaving them and the pools unaffected.
The exploit has since been mitigated, and Clipper assured that it has taken immediate action to safeguard user funds and investigate the breach. All swaps and deposits across chains have been paused temporarily as a precautionary measure.
However, withdrawals remain fully functional, consistent with Clipper’s noncustodial nature, which ensures users retain control over their assets. It is important to note that withdrawals must currently include a mix of all assets in the pool, as the ability to withdraw a single token – identified as the exploited feature – has been disabled.
Addressing speculation regarding the nature of the incident, Clipper clarified that the exploit was not caused by a private key leak. The team behind the DEX is actively collaborating with security experts to investigate the breach and implement enhanced safeguards thoroughly.
“In addition to the investigation, an effort has begun to trace funds to attempt recovery. If you are the exploiter and are willing to speak, please reach out directly. Clipper is committed to transparency and will provide further updates to the community as more information becomes available.”
Hacks Ravage DeFi
According to Immunefi’s November 2024 report, hacks were responsible for an astounding 99.96% of all crypto losses that month. Meanwhile, fraud and rug pulls significantly declined, accounting for just $25,300 across two incidents.
The decentralized finance (DeFi) sector bore the brunt, suffering $71 million in losses – marking the second-lowest monthly total of the year and a sharp drop from $343 million in November 2023.