Socket / Bungee Approval Drain

On January 16, 2024, the cross-chain liquidity aggregator Socket (which powers the Bungee bridge UI) lost approximately $3.3 million from users who had granted infinite approvals to the SocketGateway contract. An incompletely-validated route allowed an attacker to make the gateway perform transferFrom against approving wallets. Socket later recovered ~$2.3M and returned it to affected users.

What happened

SocketGateway routes user funds through pluggable "route" contracts for swaps/bridges. A recently-added route was insufficiently validated, allowing an attacker-crafted call to make the gateway execute arbitrary transferFrom on tokens that users had approved to it. ~$3.3M was swept from approval-holding wallets before Socket disabled the vulnerable route.

Aftermath

• Socket disabled the bad route within hours and paused affected functionality.
• Through coordinated effort, ~$2.3M was recovered and a distribution process returned it to affected users.

Why it matters

Socket is the January 2024 instance of the approval-holding aggregator with an under-validated route pattern — the same structural class as Furucombo, Transit Swap, Dexible, and (six months later) LI.FI. The recurrence within a single ecosystem and a single year is the point: every new route/facet/plugin added to an approval-holding aggregator is a fresh, often-under-audited attack surface, and the standing-approval model means every user who ever approved the gateway is exposed to every future route's bugs. Socket's relatively strong recovery (~70%) is the redeeming feature; the structural exposure is identical to every other entry in this lineage.