On January 16, 2024, Socket Tech was attacked, resulting in a loss of approximately $3.3 million. The attacker exploited a vulnerability in the data verification link of a Socket contract and stole user funds of the authorized contract through malicious data input. This attack caused losses to a total of 230 addresses, with the largest single address loss of approximately $656,000.
Background introduction
Socket is an interoperability protocol serving cross-chain secure and efficient data and asset transmission. The Socket Gateway contract is the access point for all interactions with the Socket liquidity layer, where all asset bridges and DEXs converge into a single meta-bridge and select the best transactions based on user preferences such as cost, latency or security routing.
Three days before the hack, the Socket contract administrator executed the addRoute command to add a new route to the system. The purpose of adding routing was to extend the capabilities of the Socket Gateway, but it inadvertently introduced a critical vulnerability.
The picture below shows the record of routing added through the contract administrator:
Summary of events
1. At 15:03 on January 16, Beijing time, the attacker’s wallet transferred the funds used for the attack. Our time analysis shows that the funds came from 0x e 620 and were related to the 10 BNB withdrawn from Tornado Cash.
2. These funds were used to create and execute two contracts to exploit Socket vulnerabilities. The first contract targets the USDC in the address authorized by SocketGateway (screenshot below). 127 victims were defrauded out of approximately $2.5 million.
3. Next, the second contract targets WETH, USDT, WBTC, DAI and MATIC in the victim’s address. As a result, another 104 victims lost approximately the following assets:
-42.48 WETH
-347, 005.65 USDT
-2.89 WBTC
-13, 821.01 DAI
-165, 356.99 MATIC
4. The attacker converted USDC and USDT into ETH.
Vulnerability source
The vulnerability exploited by attackers exists in the performAction function within the newly added routing address routeAddress.
The original function of the performAction function in this address is to assist the Wrapping and Unwrapping functions.
However, a critical vulnerability appears in this function: the user directly calls external data through swapExtraData in .call() without verification, which means that the attacker can execute arbitrary malicious functions.
In this incident, the attacker crafted a malicious swapExtraData input that triggered the transferFrom function. The malicious call exploited the users authorization to the SocketGateway contract and stole funds from them.
Although the contract will ensure that the users balance will change correctly after fromToken.call() is called by checking the balance check, this function does not take into account the situation where the attacker sets the amount to 0.
Restoring the attack process
1. Using the attack contract, the attacker called 0x 00000196() on the Socket Gateway contract.
2.fallback() calls the vulnerable routing address contract (routerAddress) using hexadecimal signature 196.
3. In the screenshot below, we can see the fake input used by the attacker, and the Swapping number is all 0.
4. Next, WrappedTokenSwapperImpl.performAction() will be called to perform Swap.
5. The fake SwapExtraData is accepted and executed by fromToken (WETH) without any verification.
6. The attacker repeats the above process until the victim’s assets are exhausted. After the malicious transaction appeared, Socket quickly called disableRoute, blocking the previously vulnerable route and preventing a wider range of attacks.
7. On January 23, Socket announced that it had recovered 1,032 ETH, and announced on the 25th that it would fully compensate all losses. This incident has been resolved.
event summary
Malicious calldata attacks are not uncommon in routing contracts with unlimited user authorization.
Previous similar attacks include Dexible and Hector Bridge.
On February 17, 2023, the decentralized exchange Dexible was attacked, causing losses of more than $1.5 million. The exploiter inputs malicious calldata into Dexibles fill() function to steal user assets.
On June 2, 2023, the Hector network’s protocol was attacked. The attacker deployed a fake USDC contract and transferred 652,000 real USDC from the victims contract through malicious calldata.
Blockchain aggregation platforms typically improve liquidity and reduce losses by encapsulating a series of bridge and routing contracts. However, this complex encapsulation creates more security challenges.
The resolution of the Socket incident is undoubtedly the result of the efforts of all parties. CertiK will continue to be committed to providing comprehensive auditing and testing for the platform, reducing various aggregate risks, and improving community trust and the security level of the entire industry.
