Socket says Bungee protocol exploited as as funds worth $6 million appear to be stolen

Interoperability protocol Socket said Tuesday that it had paused affected contracts after reports the Bungee bridging aggregator it develops was affected by an exploit that saw as much as $6 million stolen.

"Socket has experienced a security incident which affected wallets with infinite approvals to Socket contracts. We have identified the issue have paused the affected contracts," the project's team wrote at 3:15 p.m. ET on Tuesday.

The incident was noticed an hour earlier by an anonymous researcher who goes by Spreek on X.

"Several million already gone," Spreek wrote at 2:19 p.m. ET, pointing at the attacker's address and recommending that users to revoke approvals for Socket immediately. Around 2:47 p.m. ET, the attack seems to have stopped, they later posted .

"Think this pause fixed it, very likely no more attacks are possible. So if you are currently freaking out about revoking you can probably relax," Spreek wrote.

More than $6 million received

In a little more than one hour, the reported wallet received over $6 million in USDT, USDC and DAI stablecoins, $123,500 worth of wrapped BTC, $108,600 in wrapped ether and $132,000 of MATIC, according to Etherscan . The wallet has been sending the received funds to Uniswap, 1inch and other decentralized exchanges. 

According to PeckShield, the exploit was a result of "incomplete validation of user input, which is exploited to steal funds from users who have approved the vulnerable SocketGateway contract," the researchers  wrote  on X.

PeckShield confirmed that at least $3.3 million had been affected. 

"The bad route exploited in the hack was added 3 days ago and is now disabled," it wrote in a post on X. 

"The exploiter appeared to be draining assets from users that have over-approved Socket, allow them to take funds up to the limit of their approval. To stop this users would have to revoke their approvals," The Block research director Steven Zheng said, referring to the cases in which a user allows a protocol to interact with a wallet containing more funds than is necessary for a transaction. 

"For example, if you’re bridging $1,000 in funds but approved the bridge for $2,000. The remaining $1,000 of approvals you didn't use can be drained in this attack," Zheng explained. 

Socket said it was continuing to work on the situation and that it would provide regular updates.