Bungee Exchange Socket.Tech protocol attacked, funds stolen

A security breach at Socket Tech, a cross-chain infrastructure protocol caused a financial loss of approximately $3.3 million. The attack was executed on the Bungee Exchange, a frontend for the Socket Protocol. The attacker used a flaw in the SocketGateway, enabling unauthorized fund withdrawals from users who had granted unlimited access to this component.

The breach primarily affected around 700 users who had recently interacted with a newly added vulnerable bridging route in the protocol and had granted the gateway unrestricted access to their tokens. One user, in particular, lost $656,000 USDC, which the attacker then converted to ether, a cryptocurrency that is not subject to freezing.

The attack originated from a wallet funded through the privacy-centric exchange FixedFloat, exploiting weaknesses in the protocol’s user data verification and processing. The compromised route was quickly disabled, and normal service resumed after approximately six hours.

While Socket Tech’s bridging protocol is also integrated into third-party decentralized apps (dapps) and wallets like Rainbow and Zeal, these platforms were not as severely affected due to their practice of limiting approvals to specific asset amounts for transfers.

The Rainbow wallet advised its users to revoke permissions as a precautionary measure, using the Revoke Cash tool. The Socket Tech team is committed to conducting a thorough post-mortem analysis of the incident. Their immediate focus is on addressing the needs of their users and recovering lost funds, for which they expressed deep regret over the incident.