Decentralized exchange Clipper has reported that a recent hack resulting in a loss of $450,000 was due to a vulnerability in its withdrawal function, rather than the previously suggested private key leak. On December 1, the attacker managed to exploit two liquidity pools, which accounted for approximately 6% of the platform’s total value locked. Clipper confirmed that other pools remained unaffected and declared that the exploitation incident had concluded.
In addressing claims from third parties regarding a private key leak, Clipper emphasized that these assertions were unfounded and did not align with its security infrastructure. It noted that the withdrawal process, allowing the transfer of just one token through a bundled transaction, was temporarily disabled. This particular feature was identified as the one that had been exploited by the attacker.
The co-founder of cybersecurity firm Fuzzland had earlier indicated that the hack stemmed from an API vulnerability, suggesting that the API might have enabled an attacker to manipulate deposit and withdrawal requests, thus extracting more funds than initially deposited. In response, Clipper announced it was conducting a thorough investigation into the breach and would provide updates as they materialize. While swaps and deposits have been halted, withdrawals remain operational, but must include a mix of all assets within the pool.
Clipper has also initiated efforts to trace the stolen funds in hopes of recovery and has extended an invitation to the perpetrator to engage with the team directly. This incident adds to a significant total of more than $1.48 billion in stolen cryptocurrency recorded in 2024, reflecting a 15% decrease compared to the same timeframe in the previous year, according to a recent report by Immunefi.
