Clipper Exchange Asset Deposit/Withdrawal Manipulation

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:11, 20 January 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/clipperexchangeassetdepositwithdrawalmanipulation.php}} {{Unattributed Sources}} thumb|Clipper Exchange Logo/HomepageClipper is a decentralized exchange (DEX) designed to provide liquidity providers (LPs) with concentrated liquidity and protection from common issues like impermanent loss, MEV (Miner Extractable Value) bots, and sandwich attacks. On December...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Clipper Exchange Logo/Homepage

Clipper is a decentralized exchange (DEX) designed to provide liquidity providers (LPs) with concentrated liquidity and protection from common issues like impermanent loss, MEV (Miner Extractable Value) bots, and sandwich attacks. On December 1, 2024, an attacker exploited a vulnerability in Clipper's smart contracts, manipulating the single-asset deposit and withdrawal feature to exploit liquidity pools on the Optimism and Base networks. By performing swaps to manipulate pool balances, the attacker obtained more assets than they deposited, causing a loss of approximately $457,878. The attack was promptly mitigated by the AdmiralDAO, securing remaining funds and halting further activity while initiating an investigation and engaging security firms for recovery efforts. It does no[1][2][3][4][5][6][7][8][9][10][11][12][13]

About Clipper Exchange

Clipper is a decentralized exchange (DEX) designed to provide liquidity providers (LPs) with concentrated liquidity and protection from common issues like impermanent loss, MEV (Miner Extractable Value) bots, and sandwich attacks. By offering up to 100x concentrated liquidity around market prices and using rapid rebalancing, Clipper amplifies returns for LPs while maintaining firm pricing. It leverages a unique architecture that enables better yields and more secure trading for liquidity providers. The platform is permissionless and designed for professionals, allowing users to participate in DeFi with minimal risk. Clipper also features the SAIL token, which rewards LPs and is part of the governance of the AdmiralDAO. The exchange has facilitated billions in trading volume and supports a growing community of users.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

On December 1, 2024, an attacker exploited a vulnerability in Clipper's smart contracts, manipulating the single-asset deposit and withdrawal feature to exploit liquidity pools on the Optimism and Base networks. By performing swaps to manipulate pool balances, the attacker obtained more assets than they deposited, causing a loss of approximately $457,878.

Key Event Timeline - Clipper Exchange Asset Deposit/Withdrawal Manipulation
Date Event Description
November 30th, 2024 8:22:51 PM MST Base Exploit Transaction The protocol is exploited on the base blockchain.
November 30th, 2024 9:15:05 PM MST Optimism Exploit Transaction The protocol is exploited on the optimism blockchain.
December 4th, 2024 7:10:10 PM MST Clipper DEX Publishes Post-Mortem A post-mortem is shared on the Clipper DEX blog. The post provided a detailed post-mortem of the exploit on Clipper. This post aimed to explain the incident, provide transparency on the attack vector and consequences, and outline steps for securing the platform moving forward.
January 15th, 2025 7:31:00 PM MST Ethereum Recovery Announced The team announces that 104 ethereum has been returned to their treasury from the exploiter. They are in the process of determining how to distribute those funds to affected users.

Technical Details

"Small pools allowed for imbalances and exploitation: Low balances and low k values combined with low transaction costs on L2s made pools more vulnerable to manipulation. Base and Optimism were the two smallest pools, and Optimism had a 5x lower k value than any other chain. As a result, the Optimism and Base pools were more vulnerable. Protections built to prevent malicious swaps were not applied to single-asset deposits/withdrawals (which include a swap). Lack of On-Chain Validation: Clipper's smart contracts validate pool invariants and check for significant state changes during execution of normal swaps, but that was not customary on single-asset withdrawals because of an additional fee that mitigated arbitrage in the past. API Limitations: The API endpoints have mechanisms to detect abnormal request patterns and prevent misuse for normal swaps (e.g. thousands of swaps from similar sources and wallets that have characteristics of bots), but that was not customary on single-asset withdrawals because of an additional fee that mitigated arbitrage in the past. Recent updates introduced a bug in Clipper's Circuit-breaker: Clipper includes an off-chain circuit-breaker as an added safeguard to pause swaps in the event of significant balance changes in the pools. A recent database upgrade, implemented to enable the future possibility to support multiple pools on each chain, introduced an unexpected interaction with the circuit-breaker logic that had not been detected in the testing environment. This has since been addressed."

Total Amount Lost

$457,878 from postmortem.

The total amount lost has been estimated at $458,000 USD.

Immediate Reactions

The exploit was detected and responded to swiftly by AdmiralDAO, who paused the API and initiated an investigation. The vulnerability was linked to low pool balances and the absence of protections on single-asset withdrawals. In response, Clipper is implementing contract enhancements, improved API security, and circuit-breaker systems to prevent future exploits.

Ultimate Outcome

Clipper is implementing several remediation actions to address the vulnerability and prevent future exploits. First, they will enhance their smart contracts by adding on-chain validations to ensure that pool invariants remain consistent during single-asset withdrawals, similar to existing protections for swaps. They also plan to integrate price oracles to validate asset values on deposits and withdrawals, and consider introducing a short lockup period for new deposits to prevent manipulation.

In terms of API and backend security, Clipper will extend its circuit-breaker system to automatically halt deposit and withdrawal actions if abnormal behavior is detected in the pools. Additionally, they will improve behavioral monitoring to detect bot-like activity and abnormal API usage, applying similar protections already in place for normal swaps. Safeguards will also be introduced for configurations like the k parameter, expiration times for signatures, and deposit lock times, along with a dashboard to allow contributors to review and discuss API settings.

Clipper is also considering proactive monitoring to detect suspicious on-chain behavior, which could provide early warnings and potentially prevent future attacks. Finally, AdmiralDAO is engaging ZeroShadow, an incident response firm, to trace and recover the compromised funds.

Total Amount Recovered

"A tracing and recovery firm has been retained (Zeroshadow). Once the potential for recovery is assessed, methods to finance a refund will be considered. To clarify, there are no guarantees at this time, but neither has the issue been discussed. One thing at a time."

"The winds of fortune have shifted—104 ETH has been returned to our treasure chest by the scallywag behind the recent exploit! The crew is now plotting the best course for refunds to ensure fairness for all affected mates. Stay anchored—we’ll share updates soon!"

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Funds are being traced and recovery efforts are underway. Clipper is also planning to re-enable trading once remediations and security reviews are complete.

"I sincerely apologize for the delay due to personal health issues. I'd like to return the entire amount (104 ETH) I took, though it is a bit late. As far as I know, there are no longer any vulnerabilities in the contract. I wish for the continued growth and success of your community."

"The crew is now plotting the best course for refunds to ensure fairness for all affected mates. Stay anchored—we’ll share updates soon!"

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Clipper Dec 24 Exploit Post-Mortem (Accessed Jan 20, 2025)
  2. OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan (Accessed Jan 20, 2025)
  3. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  4. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  5. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  6. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  7. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  8. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  9. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  10. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  11. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  12. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
  13. @Clipper_DEX Twitter (Accessed Jan 20, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Clipper_Exchange_Asset_Deposit/Withdrawal_Manipulation&oldid=6446"