Decentralized exchange (DEX) SushiSwap was saved from joining the long list of hacked DeFi platforms after a white hat discovered an exploit and prevented a potential $350 million theft.
SushiSwap Rescued from Being Hack Victim
Samczsn, a research partner at venture capital firm Paradigm, prevented SushiSwap’s MISO platform from losing $350 million worth of ETH. MISO is Sushiswap’s launchpad platform for new tokens.
The BitDAO token sale which was auctioned on MISO earlier happened without a hitch. The auction raised more than 112,000 ETH ($341.7 million) from over 9200 participants.
According to a blog post by Sam detailing the findings and rescue operation, the Paradigm researcher, upon deeper investigation, stated that he found a vulnerability in the MISO Dutch auction contract. What was initially thought to be a minor bug turned out to be a vulnerability that could enable a hacker to steal 109,000 ETH, which was valued at $350 million at the time.
An excerpt from the blog post reads:
“To my surprise (and horror), I found that a refund would be issued for any ETH sent which went over the auction’s hard cap. This applied even once the hard cap was hit, meaning that instead of rejecting the transaction altogether, the contract would simply refund all of your ETH instead.”
“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
Sam had to contact his colleagues at Paradigm Georgios Konstantopoulus and Dan Robinson, who in turn alerted SushiSwap’s chief technology officer (CTO), Joseph Delong, to the danger. Duncan Townsend, CTO of bug bounty platform Immunefi, and Mitchell Amador, the company’s founder and CEO were also involved in the rescue operation.
No Funds Lost
After some deliberation, it was decided that the BitDAO team in charge of the raise would purchase the remaining auction, thereby immediately concluding the process and forestalling any threats.
The rescue operation happened in under five hours and the team was able to prevent a potential hacker from draining over 100,000 ETH from the contract.
Meanwhile, SushiSwap, in a separate blog post, confirmed that no funds were lost, adding that:
“All future planned auctions utilizing the specific dutch auction contracts with ETH commitments have been paused until an updated version is redeployed.”
The latest development comes shortly after the DeFi protocol Poly Network suffered a massive attack. As previously reported by BTCManager, a hacker exploited a vulnerability in the protocol and stole over $600 million in tokens.
However, the anonymous hacker referred to as “Mr White Hat” returned most of the funds. The platform later relaunched with a bug bounty program, having a total pool of $500,000 to reward white hats who detect and report bugs in its smart contract.