CLOBER DEX

DESCRIPTION OF EVENTS

"The Only Fully On-chain Order Book for EVM"

"Clober presents a new algorithm for order book DEX “LOBSTER - Limit Order Book with Segment Tree for Efficient oRder-matching” that enables on-chain order matching and settlement on decentralized smart contract platforms. With Clober, market participants can place limit and market orders in a fully decentralized, trustless way at a manageable cost."

According to Trust Security, a firm which did the audit on the original contract, a "recommended fix for a previous bug would have safeguarded the contract despite any CEI violation that would later be introduced. This is a prime example of how following best practices avoids unpredictable and tragic errors down the line."

Kupia Security notes that they "had discussed how a malicious strategy can cause harm to the Rebalancer contract. The protocol team has indicated that this was intentional and not a security issue. We provided a scenario describing a specific type of attack, which, although not a reentrancy attack, could still result in a loss of funds."

"According to the breakdown provided by Nick Franklin, the attacker's recipe was depressingly simple: find the unguarded _burn function, abuse its burnHook callback, and watch the ETH flow."

"Clober Liquidity Vault was exploited, root cause is reentrance. "_burn" function calls "burnHook" function of pool.strategy contract, but it has no reentrancy check. Hacker deployed his own token contract and created pool with WETH and that token using "open" function, set" "pool.strategy to attack contract, now "_burn" function calls "burnHook" function of attack contract. In second "burn" function, withdrawal amount was much more because reserve value was not updated. Hacker drained all 133 WETH in vault. Keep in mind, developers, you need to" "finish state update before callback function. Also, don't forget reentrancy check."

"It seems today's @CloberDEX hack is due to a reentrancy issue from the burn() function. And it is further facilitated with the use of an evil strategy prepared by the hacker."

"We regret to inform our community that the Clober Liquidity Vault has been compromised in a security breach.

We want to reassure our users that the Clober protocol itself is unaffected, and all core functionalities continue to operate securely.

To the attacker: We are offering a security bounty of 20% of the stolen funds if the remaining assets are returned. Additionally, we assure you that no legal action will be taken if you comply.

Please return the funds to the following address: 0x83E66fBfB14758dA99462F389F54D4003DFB95b4

We are working with relevant parties to track and recover the assets. Thank you for your understanding and support during this challenging time."

"The security breach is limited to the Liquidity Vault on Base. We want to reassure our community that Clober Core remains unaffected, and Mitosis testnet users can continue to use the platform with confidence."

"For anyone affected by the incident, please create a support ticket on our Discord channel for assistance."

Clober responded to Kupia Security by indicating that "[t]he issue [they] raised is NOT related to the reentrancy attack. The actual attack had nothing to do with the strategy being malicious. This response is extremely irresponsible and disappointing."

Explore This Case Further On Our Wiki

Clober DEX describes itself as the only fully on-chain order book for EVM. EVM or Ethereum Virtual Machine is the standard protocol of Ethereum and widely adopted across many other blockchains. Users can place buy/sell orders and fill each other's orders as with a traditional centralized exchange, but this can be done in a decentralized manner. The project obtained a couple of audits, including one from Trust Security, and another from Kupia Security. However, they made changes to their protocol subsequently which either introduced or exposed a potential reentrancy vulnerability. This reentrancy vulnerability was exploited by a hacker to drain 133.7 ETH, which at the time was worth slightly less than the $500k widely cited as the official loss figure. There is no official policy on refunds being provided, however Clober DEX has invited anyone who was affected to reach out to them.

@0xNickLFranklin Twitter (Dec 13)
Base Transaction Hash (Txhash) Details | BaseScan  (Dec 13)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21)
@peckshield Twitter (Dec 13)
@CloberDEX Twitter (Dec 13)
@CloberDEX Twitter (Dec 13)
@trust__90 Twitter (Dec 13)
Clober | Fully On-chain Order Book (Dec 13)
Introduction | Clober (Dec 13)

More case studies

Cardano Foundation Twitter/X
Account Compromised

LABUBU Smart Contract
Self-Transfer Vulnerability