an update on the sniper auction incident from may 26. an attacker drained ~26 WETH from 41 sniper wallets over roughly 20 seconds. clanker token deployments and the treasury were not affected. The attack was on the sniper wallets, not clanker contracts. what happened: a third-party sniper bot had mistakenly granted standing WETH approvals to the auction contract. our docs explicitly warn against this and and include sample code to prevent: clanker.world/docs/references/core-contracts/v4/mev-modules/clankersniperauctionv0#warning-on-approving-clankersniperauctionv0-to-spend-weth. since these approvals existed outside of atomic operations, they could be triggered by anyone. the attacker spotted the open approvals and used them to pull funds from the sniper wallet. we temporarily adjusted a single parameter on the contract as a precaution while the developer patched their implementation so that the impact surface wouldn’t increase for them. the clanker contracts themselves were never compromised and required no changes. if you're building a sniper bot: ClankerSniperUtilV2 has always included a reference implementation that handles approvals correctly: github.com/clanker-devco/v4-contracts/blob/main/src/mev-modules/sniper-utils/ClankerSniperUtilV2.sol the developer was transparent and acted in good faith throughout. where we can help, we will. although the attack was not on clanker contracts itself, we have chosen to reward good faith development on clanker by compensating affected users, claim page coming soon. thanks to @carter, @dish, @lobstermindset.eth, and Blockaid for helping look into this when it happened.
- 1 reply
- 0 recasts
- 10 reactions
today on x
- 3 replies
- 4 recasts
- 29 reactions
clank clank
- 2 replies
- 0 recasts
- 16 reactions