White hat potentially saves SushiSwap $350M by finding ‘obvious’ exploit

Published at: Aug. 18, 2021

The SushiSwap decentralized exchange has narrowly avoided becoming the latest decentralized finance hack victim thanks to assistance from a white hat hacker.

A security researcher from venture capital firm Paradigm, known on Twitter as Samczsun, has managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 Ether (ETH).

In a blog post published on Tuesday, the programmer described how he began examining the smart contract code for the BitDAO token sale on SushiSwap’s token launchpad platform, Miso.

Just pulled off maybe the biggest whitehat rescue ever. Story time soon

— samczsun (@samczsun) August 17, 2021

On closer inspection, he found a flaw in the Miso Dutch auction contract whereby some of the functions lacked access controls.

“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”

Upon deeper investigation, the white hat discovered a vulnerability that, if exploited, could have resulted in all of the crypto assets in the token auction contract being drained by a malicious actor. An attacker could reuse the same ETH over and over to batch multiple calls to the contract and “bid in the auction for free.”

Samczsun tested the vulnerability with a successful exploit before contacting colleagues Georgios Konstantopoulos and Dan Robinson to take a look and double-check the findings. He also discovered that a hacker could steal the funds from the contract by triggering a refund by sending a higher amount of ETH than the auction hard cap.

“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”

Related: Poly Network hack exposes DeFi flaws, but community comes to the rescue

It was then time to reach out to SushiSwap chief technology officer Joseph Delong to formulate a rescue plan before the exploit was discovered in the wild. It was decided that the BitDAO team holding the token sale would manually end the auction by purchasing the remaining allocation and immediately finalizing the process and rescuing the funds.

SushiSwap noted that no funds were lost in the salvage effort, adding that it will pause the use of its Miso Dutch auction format until the smart contract can be updated. Crypto community member DCinvestor commented:

“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”

The BitDAO token sale went off without a hitch, raising more than 112,000 ETH, valued at roughly $336 million, from over 9,200 participants according to a tweet from the protocol on Tuesday.

Tags
Technology
Hackers
Sushiswap
Related Posts
Solana and Arbitrum knocked offline, while Ethereum evades attack
Surging Ethereum rival, Solana (SOL), has shed 15% of its value over the past 24 hours after suffering a denial-of-service disruption. On Tuesday at 12:38 pm UTC, Twitter account Solana Status announced that Solana’s mainnet beta had been suffering intermittent instability over a 45-minute period. Six hours after announcing the incident, Solana Status explained that a large increase in transaction load to 400,000 per second had overwhelmed the network, created a denial-of-service, and caused the network to start forking. 1/ Solana Mainnet Beta encountered a large increase in transaction load which peaked at 400,000 TPS. These transactions flooded the transaction …
Technology / Sept. 15, 2021
Cellebrite Launches Crypto Tracer Solution to Track Illicit Transactions
Digital intelligence firm Cellebrite has launched its “Cellebrite Crypto Tracer” solution. The new offering is powered by CipherTrace and aims to trace illicit cryptocurrencies involved in money laundering, terrorism, drugs, human trafficking, weapon sales and ransomware schemes. The suite of tools will be available to investigators, analysts and non-technical agents who want to lawfully obtain evidence and trace criminals who use cryptos like Bitcoin (BTC) through the darknet. Citing figures from an Oxford University study, Cellebrite states that an estimated $76 billion worth of illegal activities involve Bitcoin. Curating millions of information references to trace transactions The Cellebrite Crypto Tracer …
Technology / July 28, 2020
Nefarious Parties Peddled Half a Million Zoom Profiles on Darknet
Recent data shows parties selling a massive number of Zoom accounts in the far reaches of the internet. In darknet and hacking forums, perpetrators are pawning off 500,000 user accounts from the popular internet video conferencing site, BleepingComputer said in an April 13 report. Hackers utilized former leaked information The infiltrators used multiple methods to gain access to the plethora of Zoom accounts. “These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches,” the report said of Zoom users’ information. “The successful logins are then compiled into …
Technology / April 14, 2020
Coinbase discloses recent cyberattack targeting employees
Crypto exchange Coinbase experienced a cybersecurity attack targeting its employees on Feb. 5. The attack came through SMS scams and involved impersonations of IT staff, according to a recent report from the company's engineering team. No customers' funds or information were impacted, the firm said. As per the report, on a late Sunday several Coinbase employees received SMS messages requiring them to urgently log in via the link provided to access an important message. Acting in a good faith, one employee followed the exploiter' instructions: "While the majority ignore this unprompted message - one employee, believing that it’s an important …
Technology / Feb. 22, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023