Full Report
Socket Tech allows for interoperability between all of the major wallets. On January 16th, they were exploited in a major way. Socket Gateway hosts various modules that can only be added by administrators. When deploying these modules, a developer first deploys it then the admin will attach it to the contract. The goal was to update the contract WrapperTokenSwappgerImpl. When doing this, the development team had a mixup on which version was should be deployed - a pre-review vs post-review. For whatever reason, the pre-view module got added and attached to the contract. The original code had an arbitrary call vulnerability where the address being called and the data, such as the selector, could be set. As a result, an attacker called transferFrom() on all of the token contracts that had large approvals from users. This is a good example on why approvals on tokens should NOT be infinite. Overall, the bug is pretty simple. The interesting part to me is how the bug got released into the wild. The team had reviewed the code and found the bug but released the wrong version. I suppose a more rigorous CI/CD program for deployment could have stopped this issue.
Analysis Summary
# Incident Report: Socket Tech Gateway Exploitation
## Executive Summary
On January 16th, 2024, the interoperability protocol Socket Tech was exploited due to an arbitrary call vulnerability in a newly deployed contract module. The vulnerability allowed an attacker to drain funds from users who had granted infinite token approvals to the Socket Gateway contract. The incident was the result of a deployment process failure where an unvetted, pre-review version of the code was mistakenly pushed to production instead of the patched version.
## Incident Details
- **Discovery Date:** January 16, 2024
- **Incident Date:** January 16, 2024
- **Affected Organization:** Socket Tech (Socket Gateway)
- **Sector:** Decentralized Finance (DeFi) / Web3 Infrastructure
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** January 16, 2024
- **Vector:** Supply Chain / Deployment Error
- **Details:** The Socket administration team attached a "pre-review" version of the `WrapperTokenSwapgerImpl` module to the Socket Gateway contract. This version contained a critical flaw allowing arbitrary calls.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; the attacker used the vulnerable contract as a proxy to interact with external ERC-20 token contracts.
### Data Exfiltration/Impact
- **Details:** The attacker targeted users who had previously granted "infinite approvals" to the Socket Gateway. By calling `transferFrom()` via the vulnerable contract, the attacker moved user assets to their own controlled wallets.
### Detection & Response
- **Detection:** Identified via on-chain monitoring as unauthorized fund transfers occurred.
- **Response actions taken:** The Socket team identified the faulty module and paused/removed the affected `WrapperTokenSwapgerImpl` contract to prevent further drainage.
## Attack Methodology
- **Initial Access:** Exploitation of a flawed smart contract module deployed by the protocol admins.
- **Persistence:** On-chain exploitation; no persistent backdoor required once the vulnerable module was active.
- **Privilege Escalation:** Not applicable; the attacker leveraged the inherent "Administrator" trust placed in the deployed module.
- **Defense Evasion:** None; the attack was conducted publicly on the blockchain.
- **Credential Access:** Not applicable.
- **Discovery:** The attacker identified the arbitrary call vulnerability in the `WrapperTokenSwapgerImpl` contract.
- **Lateral Movement:** Execution of `transferFrom` calls across multiple disparate token contracts via the vulnerable gateway.
- **Collection:** Aggregation of various user tokens (USDC, USDT, etc.) into the attacker's wallet.
- **Exfiltration:** Transfer of assets to external EOA (Externally Owned Account) addresses.
- **Impact:** Financial theft from end-users totaling millions of dollars.
## Impact Assessment
- **Financial:** Major loss of user funds (estimated in the millions).
- **Data Breach:** Public exposure of transaction history; no private PII breach.
- **Operational:** Essential protocol functionality was temporarily disabled to contain the threat.
- **Reputational:** Significant damage to user trust regarding safety of "unlimited approvals" on the platform.
## Indicators of Compromise
- **Behavioral indicators:** Unusual volume of `transferFrom` calls originating from the Socket Gateway contract targeting high-balance user wallets.
- **Contract Address:** Affected module `WrapperTokenSwapgerImpl`.
## Response Actions
- **Containment measures:** Immediate revoking/unlinking of the vulnerable module from the main Socket Gateway.
- **Eradication steps:** Replacement of the faulty module with the intended, post-review version.
- **Recovery actions:** Coordination with security firms to track stolen funds and communication with affected users regarding the incident.
## Lessons Learned
- **Deployment Discipline:** The primary point of failure was the manual "mixup" between pre-review and post-review code versions during deployment.
- **Approval Risks:** The incident highlights the systemic risk of "Infinite Approvals" in DeFi; if a trusted contract is compromised, all approved user funds are at risk.
- **Review Verification:** Finding a bug during a code review is insufficient if the remediation is not strictly mapped to the deployment pipeline.
## Recommendations
- **Rigorous CI/CD:** Implement automated deployment pipelines that ensure only signed, peer-reviewed, and "Main" branch code can be deployed to production.
- **Limited Approvals:** Encourage users to utilize "exact amount" approvals rather than infinite approvals, or implement "permit" (EIP-2612) to minimize long-standing allowances.
- **On-Chain Circuit Breakers:** Implement pause functionality or rate-limiting for new modules to mitigate impact in the event of a post-deployment failure.