Bungee, a cross-chain bridge that connects different blockchains, has been exploited by hackers who stole about $6 million worth of cryptocurrencies from users’ wallets.
The attack was detected on Tuesday, January 16, 2024, by an anonymous security researcher who alerted the public on X. The researcher advised users to revoke their approvals for Socket protocol an interoperability protocol that develops Bungee.
The team also said that they had identified the issue and fixed it and that they were working on a compensation plan for the victims.
According to the researcher, the exploit was caused by a flaw in the user input validation, which allowed the hackers to access the funds of users who had given infinite approvals to Socket protocol contracts.
Approvals are permissions that let blockchain applications interact with the tokens in a user’s wallet.
The hackers’ wallet address shows that they have siphoned nearly $3 million in ether (ETH) and $300,000 worth of other tokens from Bungee users.
Bungee is one of the many cross-chain bridges that allow for interoperability and liquidity among different blockchains. However, these bridges also pose significant security risks, involving complex and often unaudited code.
A recent study by IntoTheBlock, an on-chain analytics platform, revealed that most of the exploits in the decentralized finance (DeFi) space are the result of unaudited projects.
The study suggested that audits should be a minimum requirement for DeFi protocols, as they can help identify and prevent potential vulnerabilities.
Bungee is not the first cross-chain bridge to suffer a major hack. Earlier this month, Orbit Chain, another cross-chain bridge that connects Ethereum to other networks, was exploited for $81 million, making it the largest DeFi hack of the year so far.