
Data Validation Flaw Leads to $3.3 Million Loss: A Deep Dive into the Socket Attack Incident
TechFlow Selected TechFlow Selected

Data Validation Flaw Leads to $3.3 Million Loss: A Deep Dive into the Socket Attack Incident
On January 16, 2024, Socket Tech was attacked, resulting in a loss of approximately $3.3 million. This article provides a detailed analysis of the entire incident.
By CertiK

On January 16, 2024, Socket Tech was attacked, resulting in a loss of approximately $3.3 million. The attacker exploited a vulnerability in the data validation process within one of Socket's contracts, stealing user funds from authorized contracts through malicious data input. This attack affected 230 addresses, with the largest single loss amounting to about $656,000.
Background
Socket is an interoperability protocol designed for secure and efficient cross-chain data and asset transfers. The Socket Gateway contract serves as the entry point for all interactions with Socket’s liquidity layer, aggregating all asset bridges and DEXs into a single unified meta-bridge that selects optimal transaction routes based on user preferences such as cost, latency, or security.
Three days before the attack, the Socket contract administrator executed the addRoute command, adding a new route to the system. While intended to expand the functionality of the Socket Gateway, this action inadvertently introduced a critical vulnerability.
The image below shows the record of the route added by the contract administrator:

Incident Overview
1. At 15:03 Beijing time on January 16, the attacker's wallet transferred funds used for the attack. Our timeline analysis indicates these funds originated from 0xe620, linked to a withdrawal of 10 BNB from Tornado Cash.

2. These funds were used to deploy and execute two contracts exploiting the Socket vulnerability. The first contract targeted USDC held in addresses that had approved SocketGateway. A total of 127 victims lost approximately $2.5 million.

3. Next, the second contract targeted WETH, USDT, WBTC, DAI, and MATIC within victim addresses. An additional 104 victims lost the following assets:
-
42.48 WETH
-
347,005.65 USDT
-
2.89 WBTC
-
13,821.01 DAI
-
165,356.99 MATIC
4. The attacker converted the stolen USDC and USDT into ETH.

Root Cause
The vulnerability exploited by the attacker resided in the performAction function within the newly added route address (routeAddress).
This function was originally designed to assist wrapping and unwrapping operations.
However, a critical flaw existed: users could directly pass external data via swapExtraData into a .call() without proper validation, allowing attackers to execute arbitrary malicious functions.

In this incident, the attacker crafted malicious swapExtraData input to trigger the transferFrom function. This malicious call leveraged users’ approvals granted to the SocketGateway contract to steal their funds.
Although the contract checks balance changes after the fromToken.call() to ensure correct behavior, it fails to account for cases where the attacker sets the transfer amount to zero.

Attack Flow Reconstruction
1. Using the attack contract, the attacker called function 0x00000196() on the Socket Gateway contract.

2. The fallback() function invoked the vulnerable route address contract (routerAddress) using the hex signature 196.

3. In the screenshot below, we can see the attacker’s fake input where all swapping amounts are set to zero.

4. This then triggered a call to WrappedTokenSwapperImpl.performAction() for the swap operation.

5. Without any validation, the malicious SwapExtraData was accepted and executed by the fromToken (WETH).

6. The attacker repeated this process until victims' assets were depleted. After detecting the malicious transactions, Socket quickly called disableRoute to deactivate the vulnerable route, preventing further damage.
7. On January 23, Socket announced the recovery of 1,032 ETH, and on January 25, confirmed full reimbursement for all affected users. The incident has since been resolved.

Conclusion
Malicious calldata attacks in routing contracts with unlimited user approvals are not uncommon.
Previous similar incidents include Dexible and Hector Bridge.
On February 17, 2023, decentralized exchange Dexible was attacked, losing over $1.5 million. The attacker exploited the fill() function by injecting malicious calldata to steal user assets.
On June 2, 2023, Hector Network’s protocol was compromised. The attacker deployed a fake USDC contract and used malicious calldata to transfer 652,000 real USDC tokens out of victims’ contracts.
Blockchain aggregation platforms often enhance liquidity and reduce slippage by bundling multiple bridges and routing contracts. However, such complex integrations introduce greater security challenges.
The resolution of this Socket incident reflects the collective efforts of various parties involved. CertiK remains committed to providing comprehensive auditing and threat detection services to mitigate risks associated with aggregation platforms, strengthen community trust, and improve overall industry security standards.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










