Twenty days after upgrading its “Polygon Bridge” smart contract, Zapper found a vulnerability in its own deprecated version.
According to a tweet, the Zapper project “exploited the vulnerability ourselves and all of the funds have been rescued.”
The problem would have affected those with an infinite approval for the bridge contract. Infinite approval is part of the ERC-20 token standard. Users can set custom approval levels for spending when interacting with dapps, but this step requires an extra click on “view full transaction details” when using Metamask.
Debank, a data provider, provides a way to manage approvals under the profile tab. Etherscan too, the block explorer, provides a page with which users can check token approvals.
Earlier this month, Zapper prevented another bug in its “Zap out” contracts from Sushiswap and Uniswap V2 from being exploited, as well as a small bug dealing with the project’s new NFT venture.
The episode is a valuable reminder that potential hacks are not limited to core DeFi protocols but extend to glitches in dashboards and projects supporting these core systems.