White Hat May Save SushiSwap $ 350 Million by Finding an "Obvious Exploit"

By Crypto Bucket
  • SushiSwap was discovered to have had a vulnerability in their smart contract.
  • A security researcher, going by the name Samczun, is the white hat hacker who found the flaw.
  • Miso, SushiSwap's platform, was saved from a potential loss of 109k Ether (ETH) or $350M USD.
  • Before the flaw could be exploited, BitDAO ended the auction to launch rescue efforts.
  • The BitDAO token sale raised 112k ETH, about $336M.

It all started with overhearing two crypto enthusiasts. Chatting about a raise on a popular platform. In SushiSwap's Miso platform. That sparked curiosity from a white hat hacker who took a moment to look into the site. Miso uses both Dutch and batch auctions on its platform. The hacker is a security researcher for venture capital firm, Paradigm. So, checking out the contracts on Etherscan was right up his alley.

How SushiSwap Works

SushiSwap, working off a network, offers incentives to users. If they buy and sell their crypto assets on the SushiSwap software. When using a decentralized exchange. It's important to make sure you do research in advance. SushiSwap doesn't use a verification process in the liquidity pool. It's good to note that it is one of the few decentralized exchanges with a decent-sized pool. It is there that users link up assets with smart contracts. Crypto traders then use that pool to buy and sell cryptocurrencies.

Contract Vulnerability Found

It was one such smart contract that proved to be problematic. The whole exchange almost became hacker prey recently. When the platform was found to have a vulnerability. In their contract, they caused some of the operations to be without access controls. The employee of Paradigm, who goes by Samczun, discovered this potentially damaging issue. While examining the contract code in advance of the upcoming BitDAO token sale. This event was set to take place on SushiSwap's launchpad platform, Miso. Samczun was in a little bit of disbelief, not thinking the Sushi team would overlook such a gaping error.

What Was At Stake

It was then that Samczun. Tested the contract to see if what he believed to be true. About the code oversight was actually happening. It was. A knowledgeable hacker. Would have been able to continually reuse the same ETH. To batch calls and create a loophole where the auction bid would be free. It was calculated that this would have the potential of losing an estimated 109,000 ETH, valued at $350M. On top of that, a hacker could also illegally take funds. From the contract by creating a refund in an amount that is higher than the hard cap from the auction.

Once Samczun realized the impending catastrophe at hand. He contacted Dan Robinson and Georgios Konstantopoulous. To confirm if what he was seeing was what they were seeing. When everyone involved came to the same conclusion. It was time to get SushiSwap in the conversation.

All Hands On Deck Resolution

Chief Technology Officer Joseph Delong at SushiSwap. Got the Sushi team together, plus the three outside men, to put together a rescue plan. The goal was to seal any leaks before the holes could be found by any number of malicious actors or random hackers. To avoid any mishaps.

Another issue on the table, there was a live batch auction running at the same time. That kept the team from being able to buy up to the hard cap due to the situation being there was no cap. That ended up working in their favor since it meant the ETH could not be drained from the contract.

The Dutch auction had way more to lose than the batch auction anyway. There was $8M USD in the batch versus $350M in the Dutch auction. Luckily, there was never a threat to the batch auction but it was important to take precautions.

It was decided that the BitDAO team was in charge of hosting the token sale. Would end the Dutch auction immediately. In order to accomplish this feat. The remaining allotment was purchased by the team and concluded the process. Resulting in rescued funds.

From coming upon the contract to accomplishing a solid repair of the vulnerability. The whole ordeal took about five hours. Samczun was there from start to finish. Including three active hours of fixing the problem. In the aftermath, he took to writing down his account of the entire ordeal. On his blog with timestamped details.

BitDAO Token Success

After the contracts were repaired. The BitDAO token moved forward and had a triumphant transaction. That brought together more than 112,000 ETH, translating to about $336M. Over 9,000 users engaged in the action.

SushiSwap was happy to announce that no funds were harmed in the making of this rescue. Until further notice, the Miso Dutch auction will be out of order until the smart contract has had a full update.

Lastest related post

Wise People Will Do As Much Research As Possible In Order To Make the Best Investment Decisions. Be Wise.
Keep Up With The Latest Research
Receive the latest cryptocurrency information in your inbox!
menu