PANews reported on December 2 that, according to Cointelegraph, the decentralized exchange (DEX) Clipper confirmed that the recent $450,000 hack originated from a withdrawal function vulnerability, rather than the previously speculated private key leak.
According to Clipper's statement on December 1 on platform X, the attackers exploited vulnerabilities in two liquidity pools, accounting for approximately 6% of the total locked value (TVL). The vulnerability has now been fixed, and other liquidity pools were unaffected. Clipper stated that the attack involved a 'single token withdrawal function' (bundled exchange and withdrawal transactions), which has now been disabled. The Clipper team is conducting a thorough investigation and has suspended the exchange and deposit functions of the protocol, but the withdrawal function remains available, provided it is completed in the form of a combination of all assets in the pool.
According to an earlier analysis by Chaofan Shou, co-founder of security company Fuzzland, the attack may involve API vulnerabilities, allowing attackers to sign forged deposit and withdrawal requests, thereby stealing funds. Clipper has explicitly denied any connection to private key leaks, stating that this assumption is inconsistent with its security architecture.
Currently, Clipper has begun tracking the stolen funds and has sent a contact request to the attackers in an attempt to recover the assets.