On January 17, 2024, according to monitoring data from Beosin EagleEye, Socket Protocol suffered a call injection attack, leading to a significant theft of funds from authorized users. Currently, the attacker has converted the stolen funds to ETH and stored them in the attacker’s address.

After the attack, Socket’s official confirmation acknowledged the security breach and promptly suspended the affected contracts.

Simultaneously, MetaMask posted on the X platform, stating that MetaMask Bridge users are not affected by the Socket vulnerability. MetaMask emphasized their unique architecture in designing cross-chain bridge contracts to mitigate such attacks.

Vulnerability Analysis

The primary cause of this incident is an insecure call invocation in the performAction function of the Socket contract. Despite the absence of checks on fromToken and toToken parameters, the function effectively restricts token addresses to WETH, excluding other ERC20 addresses, preventing the forgery of these parameters indirectly.

However, a critical flaw in the function lies in the lack of restrictions on the amount parameter. If the caller provides an amount of 0, the function’s check condition will always pass without the need to call WETH’s deposit and withdraw functions. This allows injecting abnormal data through the call, leading to the exploitation of the vulnerability.

Attack Process

Understanding the vulnerability, let’s explore how the attacker executed the attack:

1. Creation of Malicious Contract:

• The attacker initially created a malicious contract to initiate the attack.

2. Queries and Authorization Checks:

• Subsequently, the attacker conducted multiple queries on WETH balances from different addresses.
• Additionally, the attacker checked the authorized quantity for the Socket: Gateway contract associated with each address.
• Following this, the attacker called the Socket: Gateway contract.

3. PerformAction Function Call with transferfrom Signature:

• In the call to the performAction function, the attacker specified the swapExtraData parameter as 0x23b872dd…
• This data corresponds to the function signature of transferfrom, indicating a direct invocation of the token’s transferfrom function.

4. PerformAction Function Call with transferfrom Signature:

• In the call to the performAction function, the attacker specified the swapExtraData parameter as 0x23b872dd…
• This data corresponds to the function signature of transferfrom, indicating a direct invocation of the token’s transferfrom function.

5. WETH Transfer by the Attacker:

• Through numerous operations, the attacker transferred WETH from countless users to their own address.

6. Transfer of Authorized USDT in a Similar Manner:

• The attacker employed a similar method to transfer USDT authorized to the contract to their own address.

7. Involvement of Other Tokens:

• The attack extended to include other tokens such as WBTC, DAI, and MATIC.

As of the time of writing, approximately $3.3 million has been stolen, with some funds exchanged for ETH and stored in the hacker’s address. Beosin Trace continues to monitor the stolen funds.

Socket, in an update on the X platform, states that operations have been restored, affected contracts have been suspended, and the situation is under full control. Interoperability with Bungee bridging and most partner front-end bridging has been reinstated. A detailed analysis of the event and subsequent steps will be announced soon.

Socket issues a reminder: “Be cautious of fake Socket accounts attempting phishing in your replies. Please carefully verify the account before taking any action.”

This incident serves as a reminder to prioritize security. As we enter 2024, numerous security events have already occurred. Beosin, a globally leading blockchain security company, offers a comprehensive range of blockchain security products and services covering code security audits before project launch, real-time security risk monitoring, alerts and prevention, cryptocurrency asset recovery, security compliance KYT/AML, and more. We are committed to the secure development of the Web3 ecosystem. If needed, feel free to contact us.

Contact

If you need any blockchain security services, welcome to contact us:

Official Website Beosin EagleEye Twitter Telegram Linkedin