Clober DEX Rebalancer Reentrancy
A reentrancy in Clober DEX's Rebalancer withdraw path on Base let an attacker re-enter before LP accounting settled, draining $500K in excess liquidity.
- Date
- Victim
- Clober DEX
- Chain(s)
- Status
- Partially Recovered
On December 10, 2024, the Base-chain order-book DEX Clober lost approximately $500,000 through a reentrancy in its Rebalancer contract's withdraw path. The contract performed an external transfer before finalizing LP accounting, letting the attacker re-enter withdraw and extract disproportionate liquidity.
What happened
Clober's Rebalancer managed LP positions. Its withdraw sent assets before updating the LP-share accounting; an attacker contract re-entered withdraw during the transfer, repeatedly withdrawing against stale balances until the position was drained (~$500K).
Aftermath
- Clober paused the Rebalancer; partial recovery via negotiation.
- Patched with checks-effects-interactions ordering and a reentrancy guard.
Why it matters
Clober is a late-2024 reminder that the deposit/withdraw reentrancy lineage — The DAO (2016) through Grim, Penpie, and on — does not age out. New chains (Base) and new mechanisms (order-book DEX rebalancers) keep recreating the conditions for the oldest bug because the attack surface moves to wherever the newest code is, and the newest code is written by teams who know the lesson in the abstract but reintroduce it in the concrete. Reentrancy guard + CEI on every value-moving path, no exceptions, remains the answer eight years on.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-clober-dex-hack-december-2024
- [02]certik.comhttps://www.certik.com/resources/blog/clober-dex-incident-analysis
- [03]rekt.newshttps://rekt.news/cloberdex-rekt