Explained: The Socket Protocol Hack (January 2024)

The Socket Gateway hack was made possible by a vulnerability in a new module in Socket’s Aggregator system. The role of the new module was to swap tokens on the users’ behalf. In the event that a user had granted infinite approvals to the Socket Gateway contract, the attacker was able to drain tokens from the user’s account. Since Socket approvals default to finite approvals, approximately 200 users of the protocol were affected by the incident.

The new route contained a vulnerability in which it executed untrusted user input. When the contract’s performAction function is called, the swapExtraData parameter is not validated before it is used in a call instruction. As a result, the attacker can inject a call to transferFrom into the data, enabling them to drain value from wallets with infinite approvals to the attacker’s wallet.

After the exploit was discovered, the Socket team worked quickly to address the issue. Within 14 minutes, the vulnerable route was disabled, and the team deployed a fix to the vulnerable code.

However, by then the attacker had exploited the vulnerability across two transactions, netting them a total of $3.3 million in tokens. Each transaction had a zero value but used an injected call to transferFrom to drain value from wallets with pre-existing approvals.

The Socket protocol hack was made possible by a well-known vulnerability in smart contracts. Calldata sent along with a call to a function is under the control of the user and should not be trusted.

This type of vulnerability would likely have been identified as part of a smart contract audit; however, the module was launched three days before the attack and was out of the scope of past audits. The Socket team blames the deployment of vulnerable code to the blockchain on a mix-up in which a pre-review version of the module was deployed instead of the post-review version.

This incident underscores the importance of security audits and robust change management processes for smart contracts. If the new module had been audited before release or the mix-up hadn’t occurred, then this $3.3 million hack might have been avoided. For more information on auditing your smart contracts, get in touch with Halborn.