Skip to main content
Sign in
Socket Protocol1 decision on this page

Audit log

Every state-changing event for Socket Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-31 07:00:02Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,324,629
    sig
    33vHoH4DhFu1…vnwz6ajCexplorer ↗
    hash
    EW8h9F2cE4G6…dPajaYKdsha256 → base58
    verifying row…full verify ↗
    canonical bytes (16451 B) ▸
    {"actor":"system:backfill","investigation_id":"ab00ba7b-7a03-47da-bf5e-acf5a07d2621","kind":"publish","page_slug":"socket-protocol","published_at":"2026-05-31T07:00:02.793Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Socket Protocol","sections":[{"content":"On January 16, 2024, at approximately 19:03 UTC, an attacker exploited a critical vulnerability in a newly deployed route module within Socket Protocol's SocketGateway aggregator contract on Ethereum Mainnet. The vulnerable module, a WrappedTokenSwapperImpl contract, had been added to the gateway only three days prior via an admin addRoute transaction. The root cause was the direct, unvalidated use of .call() with the external user-supplied swapExtraData parameter inside the performAction function. Because no input validation was applied, the attacker was able to inject a transferFrom calldata payload that caused the SocketGateway contract — acting with the full approval authority users had previously granted — to transfer tokens directly from victim wallets to the attacker's address. The attacker deployed two dedicated exploit contracts: one targeting USDC holdings and a second targeting USDT, WBTC, WETH, MATIC, and DAI. Approximately 230 wallets were affected. The total loss was approximately $3.3 million, with the largest single victim losing approximately 656,000 USDC.","heading":"January 2024 Smart Contract Exploit","severity":"critical","sources":[{"credibility":2,"name":"Halborn: Explained — The Socket Protocol Hack (January 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-socket-protocol-hack-january-2024"},{"credibility":2,"name":"CertiK: Socket Tech Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/socket-tech-incident-analysis"},{"credibility":1,"name":"The Block: Socket says Bungee protocol exploited, funds worth at least $3.3M appear stolen","type":"news","url":"https://www.theblock.co/post/272986/socket-says-bungee-protocol-exploited"},{"credibility":1,"name":"CoinDesk: Socket, Bungee Restart Operations After Apparent $3.3M Exploit","type":"news","url":"https://www.coindesk.com/tech/2024/01/17/socket-bungee-restart-operations-after-apparent-33m-exploit"}]},{"content":"Security researchers at CertiK and Halborn independently confirmed that the vulnerability resided in the performAction function of the newly deployed route contract. The function passed the swapExtraData parameter — entirely controlled by the caller — directly into a low-level .call() instruction without any sanitization or whitelist enforcement. An additional flaw in the balance check logic failed to account for scenarios in which 0 WETH was transferred, bypassing what might otherwise have served as a guard. The team later disclosed that the root cause of the deployment included a process failure: a pre-code-review version of the module was pushed to production instead of the reviewed version, meaning the module was live on Ethereum Mainnet for three days before it was exploited. Security researchers noted that a thorough smart contract audit of the new module prior to deployment would likely have identified the flaw.","heading":"Vulnerability Root Cause: Unvalidated External Calldata","severity":"high","sources":[{"credibility":2,"name":"CertiK: Socket Tech Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/socket-tech-incident-analysis"},{"credibility":2,"name":"Halborn: Explained — The Socket Protocol Hack (January 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-socket-protocol-hack-january-2024"},{"credibility":2,"name":"Blockworks: Socket Tech security breach affects multiple dApps and wallets","type":"news","url":"https://blockworks.co/news/socket-bridge-protocol-exploit"}]},{"content":"Within approximately 14 minutes of the exploit being detected, Socket's team disabled the vulnerable route and deployed corrective code. The pause halted any further drainage from the vulnerable module, limiting the total loss to the $3.3 million stolen across the two attacker transactions. Operations on both Socket and its consumer-facing Bungee Exchange product were paused while the team conducted a full investigation. The Socket admin wallet subsequently broadcast an on-chain message directed at the attacker's address, inviting the attacker to negotiate a bounty and the return of user funds, with a 12-hour response window. CoinDesk and Blockworks reported that Bungee and Socket resumed normal operations the day following the incident, on January 17, 2024.","heading":"Incident Response and Contract Pause","severity":"medium","sources":[{"credibility":2,"name":"Halborn: Explained — The Socket Protocol Hack (January 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-socket-protocol-hack-january-2024"},{"credibility":1,"name":"CoinDesk: Socket, Bungee Restart Operations After Apparent $3.3M Exploit","type":"news","url":"https://www.coindesk.com/tech/2024/01/17/socket-bungee-restart-operations-after-apparent-33m-exploit"},{"credibility":2,"name":"Revoke.cash: 2024 Socket Hack — Check If You're Affected","type":"other","url":"https://revoke.cash/exploits/socket"}]},{"content":"Following on-chain outreach, Socket reported that a series of negotiations with the attacker resulted in the return of 1,032 ETH, valued at approximately $2.3 million at prevailing prices. The team announced it would cover the remaining shortfall — approximately $1.1 million — from its own resources, ensuring that all 232 affected users would be made whole. Compensation was distributed directly to affected wallets via a dedicated recovery portal at recovery.socket.tech. Recipients were required to sign an on-chain message to confirm wallet ownership but, notably, were not required to grant any new token approvals, avoiding re-exposure of users to approval-based risk. CoinTelegraph and CryptoBriefing reported on the recovery and compensation plan.","heading":"Fund Recovery and User Compensation","severity":"low","sources":[{"credibility":1,"name":"CoinTelegraph: Socket protocol recovers two-thirds of stolen ETH from hack","type":"news","url":"https://cointelegraph.com/news/socket-protocol-recovers-two-thirds-stolen-eth-from-hack"},{"credibility":2,"name":"CryptoBriefing: Socket recovers $2.3 million in ETH after bridge protocol exploit","type":"news","url":"https://cryptobriefing.com/socket-recovers-23-million-eth-bridge-protocol-exploit/"},{"credibility":1,"name":"The Block: Socket says it recovered 1,032 ETH following Bungee exploit","type":"news","url":"https://www.theblock.co/post/273964/socket-ether-recovery-bungee-exploit"},{"credibility":2,"name":"Blockworks: Socket bridge victims will be made whole","type":"news","url":"https://blockworks.co/news/defi-exploit-socket-compensation-plan"}]},{"content":"The exploit specifically targeted users who had granted infinite (unlimited) token approvals to the SocketGateway contract — a common pattern in DeFi bridging and aggregation interfaces. Socket's default approval setting was reported to be finite approvals rather than infinite, but a subset of users had nevertheless granted unlimited approvals, making them vulnerable. Security tools including Revoke.cash published guidance instructing users to audit and revoke outstanding approvals to Socket contracts. This incident reinforced the well-documented risk of granting unlimited ERC-20 token approvals to any smart contract, as a single vulnerability in an approved contract can expose the full approved balance to theft without any further user interaction.","heading":"Approval-Based Risk for End Users","severity":"high","sources":[{"credibility":2,"name":"Revoke.cash: 2024 Socket Hack — Check If You're Affected","type":"other","url":"https://revoke.cash/exploits/socket"},{"credibility":2,"name":"Beosin: Socket Protocol Falls Victim to Call Injection Attack","type":"research","url":"https://beosin.com/resources/socket-protocol-falls-victim-to-hackers-call-injection-attack-resulting-in-approximately-33-million%C2%A0theft"},{"credibility":2,"name":"AMBCrypto: Socket protocol loses $3.3 million in exploit, details here","type":"news","url":"https://ambcrypto.com/socket-protocol-loses-3-3-million-in-an-exploit-details-here/"}]},{"content":"Socket Protocol was founded in 2021 by Vaibhav Chellani (CEO) and Rishabh Khurana (Co-founder), both previously associated with Biconomy infrastructure development. The protocol positions itself as a chain-abstraction layer enabling interoperability across more than 30 blockchain networks, with Bungee Exchange as its consumer-facing liquidity aggregation product. Socket raised a $5 million seed round in March 2022 led by Framework Ventures, followed by a $5 million strategic round in September 2023 co-led by Coinbase Ventures and Framework Ventures. Total disclosed funding stands at approximately $10 million across those rounds, with an additional $800,000 Arbitrum grant reported by community sources.","heading":"Project Background and Funding","severity":"low","sources":[{"credibility":1,"name":"CoinDesk: Coinbase, Framework Venture Funds Invest $5M in Socket Protocol","type":"news","url":"https://www.coindesk.com/tech/2023/09/06/coinbase-framework-venture-funds-invest-5m-in-socket-protocol-in-bet-on-blockchain-interoperability"},{"credibility":2,"name":"Socket Protocol Mirror post: Strategic Investment from Coinbase Ventures and Framework Ventures","type":"official","url":"https://mirror.xyz/socket.eth/-RYph2ipgxOZdCrAgWHiNeJebpG8j217C8UoxqFo2xk"}]}],"sources_used":[{"name":"The Block: Socket says Bungee protocol exploited, funds worth at least $3.3M appear stolen","type":"news","url":"https://www.theblock.co/post/272986/socket-says-bungee-protocol-exploited"},{"name":"The Block: Socket says it recovered 1,032 ETH following Bungee exploit","type":"news","url":"https://www.theblock.co/post/273964/socket-ether-recovery-bungee-exploit"},{"name":"CoinDesk: Socket, Bungee Restart Operations After Apparent $3.3M Exploit","type":"news","url":"https://www.coindesk.com/tech/2024/01/17/socket-bungee-restart-operations-after-apparent-33m-exploit"},{"name":"CoinDesk: Coinbase, Framework Venture Funds Invest $5M in Socket Protocol","type":"news","url":"https://www.coindesk.com/tech/2023/09/06/coinbase-framework-venture-funds-invest-5m-in-socket-protocol-in-bet-on-blockchain-interoperability"},{"name":"CoinTelegraph: Socket protocol recovers two-thirds of stolen ETH from hack","type":"news","url":"https://cointelegraph.com/news/socket-protocol-recovers-two-thirds-stolen-eth-from-hack"},{"name":"CoinTelegraph: Socket protocol loses $3.3M in confirmed approval exploit","type":"news","url":"https://cointelegraph.com/news/socket-protocol-loses-3-3-million-confirmed-approval-exploit"},{"name":"Halborn: Explained — The Socket Protocol Hack (January 2024)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-socket-protocol-hack-january-2024"},{"name":"CertiK: Socket Tech Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/socket-tech-incident-analysis"},{"name":"Beosin: Socket Protocol Falls Victim to Call Injection Attack","type":"research","url":"https://beosin.com/resources/socket-protocol-falls-victim-to-hackers-call-injection-attack-resulting-in-approximately-33-million%C2%A0theft"},{"name":"Blockworks: Socket Tech security breach affects multiple dApps and wallets","type":"news","url":"https://blockworks.co/news/socket-bridge-protocol-exploit"},{"name":"Blockworks: Socket bridge victims will be made whole","type":"news","url":"https://blockworks.co/news/defi-exploit-socket-compensation-plan"},{"name":"CryptoBriefing: Socket recovers $2.3 million in ETH after bridge protocol exploit","type":"news","url":"https://cryptobriefing.com/socket-recovers-23-million-eth-bridge-protocol-exploit/"},{"name":"Revoke.cash: 2024 Socket Hack — Check If You're Affected","type":"other","url":"https://revoke.cash/exploits/socket"},{"name":"Olympix: Socket Protocol Confirm Approval Attack Analysis","type":"research","url":"https://olympixai.medium.com/socket-protocol-confirm-approval-attack-analysis-dc45c5defa5f"},{"name":"Neptune Mutual: How Was Socket Protocol Exploited?","type":"research","url":"https://medium.com/neptune-mutual/how-was-socket-protocol-exploited-a2ce4e81587c"},{"name":"Socket Protocol official website","type":"official","url":"https://www.socket.tech/"},{"name":"Bungee Exchange official website","type":"official","url":"https://www.bungee.exchange/"},{"name":"Socket GitHub organization","type":"official","url":"https://github.com/SocketDotTech/socket-protocol"}],"summary":"Socket Protocol (also marketed as Bungee Exchange) is a cross-chain interoperability and liquidity-routing protocol founded in 2021 by Vaibhav Chellani and Rishabh Khurana. On January 16, 2024, a newly deployed route module containing an unvalidated calldata vulnerability was exploited, draining approximately $3.3 million from approximately 230 wallets that had granted infinite token approvals to the SocketGateway contract. In an unusual outcome for a DeFi exploit, Socket negotiated the return of 1,032 ETH (~$2.3 million) from the attacker and covered the remaining ~$1.1 million shortfall itself, making all affected users whole.","timeline":[{"date":"2021-01-01","event":"Socket Protocol founded by Vaibhav Chellani and Rishabh Khurana, building on prior Biconomy infrastructure experience.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2023/09/06/coinbase-framework-venture-funds-invest-5m-in-socket-protocol-in-bet-on-blockchain-interoperability"},{"date":"2022-03-01","event":"Socket closes $5 million seed round led by Framework Ventures.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2023/09/06/coinbase-framework-venture-funds-invest-5m-in-socket-protocol-in-bet-on-blockchain-interoperability"},{"date":"2023-09-06","event":"Socket raises $5 million strategic round co-led by Coinbase Ventures and Framework Ventures to expand interoperability with Coinbase Wallet and Base.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2023/09/06/coinbase-framework-venture-funds-invest-5m-in-socket-protocol-in-bet-on-blockchain-interoperability"},{"date":"2024-01-13","event":"Admin transaction adds the vulnerable WrappedTokenSwapperImpl route to the SocketGateway contract — three days before the exploit.","source":"CertiK Incident Analysis","source_url":"https://www.certik.com/resources/blog/socket-tech-incident-analysis"},{"date":"2024-01-16","event":"Attacker exploits unvalidated calldata in the new route module at 19:03 UTC, draining approximately $3.3 million from ~230 wallets with infinite approvals to SocketGateway in two transactions.","source":"CertiK Incident Analysis / The Block","source_url":"https://www.theblock.co/post/272986/socket-says-bungee-protocol-exploited"},{"date":"2024-01-16","event":"Socket team disables the vulnerable route and pauses contracts within approximately 14 minutes of the exploit.","source":"Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-socket-protocol-hack-january-2024"},{"date":"2024-01-16","event":"Socket admin wallet sends on-chain message to the attacker initiating bounty negotiation and requesting return of funds within 12 hours.","source":"CryptoBriefing","source_url":"https://cryptobriefing.com/socket-recovers-23-million-eth-bridge-protocol-exploit/"},{"date":"2024-01-17","event":"Socket and Bungee Exchange resume normal operations after patching the vulnerable module.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2024/01/17/socket-bungee-restart-operations-after-apparent-33m-exploit"},{"date":"2024-01-23","event":"Socket announces recovery of 1,032 ETH (~$2.3M) from the attacker following negotiations, and commits to covering the remaining ~$1.1M shortfall to make all 232 affected users whole.","source":"The Block / CoinTelegraph","source_url":"https://www.theblock.co/post/273964/socket-ether-recovery-bungee-exploit"},{"date":"2024-01-23","event":"Compensation portal launched at recovery.socket.tech; affected users can claim reimbursement by signing an on-chain message without granting new approvals.","source":"Blockworks","source_url":"https://blockworks.co/news/defi-exploit-socket-compensation-plan"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision d00a4991-17c4-4fd4-a80a-61c040c029cc
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.