Clipper Security Incident

Statement on Clipper Security Incident, originally published on x.com on Dec 1, 2024

This morning at 4am UTC Clipper’s pools on Optimism and Base were exploited for ~$450,000, roughly 6% of Clipper’s TVL. The attacker attempted to exploit other chains but was unable to do so. As a result, no other chains or pools were impacted. The exploit is no longer ongoing.

Clipper has paused swaps and deposits on all chains until the investigation is completed. Withdrawals are still available, because Clipper is noncustodial and can never prevent you from withdrawing. However, any withdrawals must be in the mix of all assets in the pool. The ability to withdraw in the form of just one token (a bundled swap + deposit/withdrawal transaction) is disabled, because that seems to have been the exploited feature.

There have been third-party claims suggesting a private key leak; however, we can confirm that this is not the case and is inconsistent with the design and security architecture of Clipper.

In addition to the investigation, an effort has begun to trace funds to attempt recovery. If you are the exploiter and are willing to speak, please reach out directly.

Clipper is committed to transparency and will provide further updates to the community as more information becomes available.