DEX Clipper refutes claims of leaking private keys after breach

Decentralized exchange (DEX) Clipper experienced a security incident at 4am UTC on December 1st, targeting its liquidity pools at Optimism and Base.

Chaofan Shou, co-founder of security firm Fuzzland, initially attributed the exploit to a private key leak, which allowed the attacker to authorize deposit and withdrawal transactions. Clipper, however, has refuted this explanation, stating that its security model is specifically designed to protect against such problems.

The exploitation

According to Clipper’s latest update, the attack resulted in a loss of approximately $450,000, which is about 6% of its Total Locked Value (TVL). Although the attacker tried to exploit other chains, these attempts were unsuccessful, and neither they nor the pools were affected.

The exploit has since been mitigated and Clipper said it has taken immediate steps to safeguard user funds and investigate the breach. All exchanges and deposits across chains have been temporarily halted as a precautionary measure.

However, withdrawals remain fully functional, in keeping with Clipper’s non-custodial nature, which ensures users retain control of their assets. It is important to note that withdrawals must currently include a combination of all pool assets, as the ability to withdraw a single token, identified as an exploited feature, has been disabled.

Addressing speculation about the nature of the incident, Clipper clarified that the exploit was not caused by a private key leak. The team behind DEX actively collaborates with security experts to investigate the breach and thoroughly implement enhanced safeguards.

“In addition to the investigation, an effort has begun to locate funds to attempt recovery. If you are the exploiter and are willing to speak, please contact us directly. Clipper is committed to transparency and will provide further updates to community as more information becomes available.”

Ravage DeFi Hacks

According to Immunefi’s November 2024 report, hackers were responsible for a staggering 99.96% of all crypto losses that month. Meanwhile, fraud and carpetbagging decreased significantly, accounting for just $25,300 in two incidents.

The decentralized finance (DeFi) sector bore the brunt, with losses of $71 million, the second-lowest monthly total of the year and a sharp decline from $343 million in November 2023.

SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).

LIMITED OFFER for CryptoPotato readers on Bybit – Use this link to register and open a FREE $500 position with any currency!