Introduction
On 16 January 2024, Socket Tech was exploited by EOA 0x50df for approximately $3.3 million. The attacker took advantage of a vulnerability within the performAction function of a newly deployed contract which has an incomplete user input validation. Users who had approved the vulnerable SocketGateway contract had their funds stolen stolen. From this attack there were 230 wallets that lost funds with the biggest victim losing $656k USDC.
Background
Socket is an interoperability protocol for secure & efficient data and asset transfer across chains.
The Socket gateway contract serves as entry point for all interactions with socket liquidity layer, where all asset bridges & DEXs aggregate into a single meta-bridge & dynamically selects/routes the funds via the best routers as per user preferences such as cost, latency or security.
Three days prior to the hack, a transaction calling addRoute was executed by the contract admin that introduced a new route into the system. This addition was intended to expand the functionality of the socket gateway but inadvertently introduced a critical vulnerability.
The addition of the route by contract admin
Summary
At 7:03 PM UTC Jan 16 the exploiter wallet was funded via a fixed float transaction with timing analysis suggesting the funds came from 0xe620 which links to a 10 BNB withdrawal from Tornado Cash.
The funds were used to create and execute two exploit contracts. The first contract targeted USDC (screenshot below) held by victims who had approved the vulnerable SocketGateway. Approximately $2.5m USDC was taken from 127 victims.
The second contract then targeted victim’s WETH, USDT, WBTC, DAI and MATIC. A further 104 victims lost other assets which amounted to the following:
42.47526105 WETH
347,005.65 USDT
2.88962154 WBTC
13,821.01 DAI
165,356.99 MATIC
The USDC and USDT was swapped for ETH and as of writing the stolen funds remain in the exploit wallet.
Vulnerability
The vulnerability lies within the newly added routeAddress 0xcc5f, specifically in the function performAction.
The performAction function at the vulnerable route address was designed to facilitate token swaps, converting native tokens (such as ETH) to their wrapped token equivalents, or the reverse. The critical vulnerability resides in the unvalidated and direct use of .call() with external user-provided data swapExtraData. This results in arbitrary function execution being possible by an attacker.
In this particular incident, an attacker was able to craft a swapExtraData input that triggered the transferFrom function. The malicious call exploited approvals users had given to SocketGateway contract 0x3a23, draining funds from them.
Although there is a balance check that ensures there is net native token balance change after the fromToken.call() aligns with the designated input 'amount', the function did not consider a case in which the caller can transfer in 0 WETH.
Attack Flow
Through attack contract 0xc3fd, the attacker called 0x00000196() on the Socket Gateway contract.
The hex signature 196 let the fallback() function call the routerAddress at slot 406, where the vulnerable router contract had been deployed three days earlier.
In the below screenshot, we can see the arbitrary input used by the attacker.
WrappedTokenSwapperImpl.performAction() was designed to conduct swaps between native tokens and the wrapped token equivalent would then be invoked.
Without any validation, the following SwapExtraData was passed and executed by the fromToken (WETH).
The process was repeated to drain victim’s tokens that had been approved to GateWay contract. After the malicious transactions started, Socket quickly called disableRoute with the previously vulnerable route added as input, preventing further attacks.
Conclusion
Unsanitized calldata is not an uncommon exploit on susceptible Router contracts that have infinite approvals from users. Some previous examples of similar exploits include Dexible and Hector Bridge. On Feb 17, 2023, Dexible, a decentralized exchange, was exploited for over $1.5m. The exploiter passed in calldata to Dexible's fill() function to steal victim’s approved tokens. On June 2nd 2023, the Hector network’s new bridge protocol was exploited. The attacker deployed a fake USDC token and input malicious calldata to transfer 652.6K real USDC out of the victim treasury contract.
Aggregators generally enhance liquidity in the crypto space by encapsulating a series of bridges and routers. Such encapsulation can complicate security in that the users entrusting funds to aggregators which can lead to losses if exploited. A comprehensive audit from CertiK can help mitigate these risks and enhance trust in the community.
