Cross-chain protocol Socket has been exploited, and $3.3 million has been drained from contracts associated with it, according to a Jan. 16 social media post from the team. The team has paused all contracts to prevent further losses.
UrgentSocket has experienced a security incident which affected wallets with infinite approvals to Socket contracts.We have identified the issue & have paused the affected contracts.We’re working on the situation & will keep you informed with regular updates & next steps.
— Socket (@SocketDotTech) January 16, 2024
“Urgent Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts” the post stated. “We have identified the issue & have paused the affected contracts.”
Socket is a cross-chain infrastructure protocol used by many Web3 apps, including Synthetix, Lyra, Kwenta, Superform, Plasma Finance, and Level Finance. Socket claims that more than $3.3 million has been lost in the attack. The team has paused contracts, preventing the attacker from draining more funds.
Blockchain analyst Spreekaway reported the incident from their X account. According to them, the attacker used a token approval from Ethereum address 0x3a23f943181408eac424116af7b7790c94cb97a5 to carry out the exploit. Spreekaway recommended that users revoke all approvals from this address, which they claim shows up as “Socket: Gateway” on Etherscan. Socket developers claimed that they have paused contracts and “Users don't need to do ANYTHING.”
Related: Gamma attempts to negotiate with hacker after $3.4M exploit
Phishing scammers appear to be taking advantage of the chaos to get new victims. In a reply to Socket’s official post, a fake Socket account posted a link to a malicious app and urged users to revoke their approvals using another malicious app that was also provided. The fake account contained the misspelled X handle @SocketDctTech instead of the correctly spelled @SocketDocTech. The fake account was removed from X within minutes of the post.
Phishing account on X claiming to be Socket. Source: X
Dune analytics user beetle has set up a dashboard to track all losses from the attack.