Clober Liquidity Vault

2023-02-14

Clober V1 launches as the first fully on-chain order book DEX for EVM, introducing the LOBSTER algorithm.

2024-11-30

Clober announces the Clober Liquidity Vault (CLV) going live on Base network, combining order book precision with AMM simplicity using Chainlink DataStream price feeds.

2024-12-10

Clober Liquidity Vault on Base is exploited via a reentrancy attack on the Rebalancer contract's _burn() function. Attacker uses a 267.4 ETH Morpho Blue flash loan and a malicious strategy contract. Approximately 133.7 ETH (~$501,000) is drained. PeckShield issues the first public alert.

2024-12-10

Stolen 133.7 ETH is bridged from Base to Ethereum mainnet via Across Protocol and split across two attacker-controlled addresses: 0x711C87A0767101Fa6f3893FACb670B5689621e23 and 0x7760d838192f6E526721a0f6b160627baE989a3e.

2024-12-11

Clober team issues a public statement confirming the exploit, asserting Core protocol and Arbitrum are unaffected, and sends an on-chain message offering the attacker a 20% white-hat bounty (~$100,000) with no legal repercussions.

2024-12-11

CertiK, QuillAudits, SolidityScan, and Lunaray publish independent technical post-mortems. Security researcher Raz0r of Decurity identifies the vulnerable burnHook as a post-audit code addition.

2024-12-31

Clober team confirms bounty negotiations with the attacker have failed and that the stolen assets have been moved into Tornado Cash, effectively laundering the funds.