Decentralized exchange Clipper was exploited for roughly $450,000 after an attacker exploited two of the protocol’s liquidity pools on the Optimism and Base blockchains.
At 4 am UTC on Dec. 1, an attacker manipulated Clipper’s withdrawal function, exploiting its ability to process bundled swap and withdrawal transactions, the protocol wrote in its first post-incident report.
The lost funds from liquidity pools on Optimism and Base accounted for roughly 6% of the total value locked in the platform, compelling it to suspend swaps and deposits on all chains and disable the ability to withdraw in the form of just one token.
“Withdrawals are still available because Clipper is noncustodial and can never prevent you from withdrawing. However, any withdrawals must be in the mix of all assets in the pool,” Clipper Dex wrote.
An initial investigation from Chaofan Shou, co-founder of security firm Fuzzland, suggested that the exploit stemmed from a private key leak, enabling the attacker to sign deposit and withdrawal requests to extract funds. However, Clipper has debunked these claims, stressing that its security architecture is designed to prevent such vulnerabilities.
Meanwhile, Clipper reassured its community that all remaining funds are secure, promising regular updates as it continues its investigation. The team is also actively tracing the stolen assets and has invited the attacker to engage in dialogue.
The Clipper exploit comes a little over a month after LayerZero-based Radiant Capital lost over $50 million on Oct. 18. Hackers managed to infect the systems of three of the protocol’s core developers, allowing them to exploit the lending protocol after gaining control over its private keys and smart contracts.
More recently, Thala protocol lost $25.5 million after an upgrade to its farming contracts introduced a vulnerability.
According to blockchain security firm PeckShield, approximately $88.4 million was lost to crypto hacks in October, pushing total on-chain losses to $181 million.
A recent report from Immunefi highlighted that attacks in November targeted DeFi more than centralized finance platforms, while total crypto losses for 2024 through November showed a 15% decline compared to the same period last year.
