SolidityScan
HACK ANALYSIS 2 min read

Socket Gateway Hack Analysis

Socket Gateway Hack Analysis

Overview:

On January 12, 2024, Socket Gateway suffered an attack due to a lack of calldata validation, leading to an approximate loss of over 3.3M USD.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  1. The vulnerability leading to this attack was primarily associated with an unsafe call within the performAction function of the protocol.
  2. The performAction function failed to account for scenarios where the caller transferred 0 Wrapped Ether (WETH), enabling the attacker to execute other functions within the call and bypass the balance check.
  3. The specific oversight allowed the attacker to manipulate calldata and invoke the transferfrom() function for arbitrary tokens.
  4. As a consequence, the attacker could transfer tokens that were approved to the protocol by other users to their own addresses, exploiting the vulnerability for unauthorized gains.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Enhance input validation in the performAction function to ensure that the caller’s transfer of Wrapped Ether (WETH) is greater than 0.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Understanding Web3 Security Measures
Navigating Through NFT Security: Minting, Trading & Holding