Clober DEX: Reentrancy (Post-Audit Code Change)

Clober DEX's Liquidity Vault was drained for $500K via a textbook reentrancy attack that was introduced in a post-audit code change — rendering two completed security audits completely irrelevant.

Occurred 2024-12-10 Loss $500K Status closed

Summary #

Clober DEX suffered a DEX / Liquidity Vault on 2024-12-10, resulting in a loss of approximately $500K.

What happened #

Clober DEX's Liquidity Vault was drained for $500K via a textbook reentrancy attack that was introduced in a post-audit code change — rendering two completed security audits completely irrelevant.

Linked factors #

RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the reentrancy was introduced in a post-audit code addition not covered by Trust Security's audit; Kupia flagged concerns about malicio...]
RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit addition)]
RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — post-audit code change added the vulnerable `burnHook` callback]