{"id":8176,"date":"2021-08-18T12:08:18","date_gmt":"2021-08-18T11:08:18","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=8176"},"modified":"2021-08-18T12:08:28","modified_gmt":"2021-08-18T11:08:28","slug":"sushiswap-narrowly-escapes-becoming-the-latest-defi-hack-victim","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/sushiswap-narrowly-escapes-becoming-the-latest-defi-hack-victim\/","title":{"rendered":"SushiSwap narrowly escapes becoming the latest DeFi hack victim"},"content":{"rendered":"\n
SushiSwap could have lost 109,000 ETH due to a weakness in a Dutch <\/a>auction smart contract discovered by the security researcher.<\/h5>\n\n\n\n
\"SushiSwap<\/figure>\n\n\n\n

Thanks to the help of a white hat hacker, the SushiSwap \r\n \r\n \r\n \r\n <\/g>\r\n \r\n \r\n \r\n <\/clipPath>\r\n <\/defs><\/svg><\/span><\/a>decentralised exchange narrowly escaped becoming the latest DeFi breach victim.<\/p>\n\n\n\n

SushiSwap <\/a>and its MISO platform were saved from a potential loss of up to 109,000 ETH thanks to a security researcher from venture capital company Paradigm identified on Twitter as “samczsun.”<\/p>\n\n\n\n

The programmer revealed how he began investigating the smart contract code for the BitDAO token sale at SushiSwap's token launchpad platform, MISO, in a blog post published on Aug. 17.<\/p>\n\n\n\n

Just pulled off maybe the biggest whitehat rescue ever. Story time soon<\/p>\u2014 samczsun (@samczsun)\u00a0August 17, 2021<\/cite><\/blockquote>\n\n\n\n

He discovered a weakness in the MISO Dutch auction contract, where several of the functions lacked access controls, upon closer study.<\/p>\n\n\n\n

\u201cI didn\u2019t really expect this to be a vulnerability though, since I didn\u2019t expect the Sushi team to make such an obvious misstep.\u201d<\/p><\/blockquote>\n\n\n\n

The white hat uncovered a vulnerability that, if abused, could lead to a bad actor draining all of the crypto assets in the token auction contract. An attacker might \u201cbid in the auction for free\u201d by repeatedly using the same ETH <\/a>to batch several calls to the contract.<\/p>\n\n\n\n

Before notifying colleagues Georgios Konstantopoulos and Dan Robinson, Samczsun tested the vulnerability with a successful exploit. He also revealed that a hacker may steal the contract's cash by triggering a refund by sending more ETH than the auction's hard cap.<\/p>\n\n\n\n

\u201cSuddenly, my little vulnerability just got a lot bigger. I wasn\u2019t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.\u201d<\/p><\/blockquote>\n\n\n\n

Before the exploit was detected in the wild, it was time to contact SushiSwap <\/a>CTO Joseph Delong to devise a rescue strategy. The BitDAO team in charge of the token sale opted to manually conclude the auction by purchasing the remaining allotment and completing the procedure and retrieving the cash.<\/p>\n\n\n\n

SushiSwap stated that no cash were lost during the recovery process, but that company will halt the use of its MISO Dutch auction structure until the smart contract is upgraded. \u201cDC Investor,\u201d a member of the crypto community, commented:<\/p>\n\n\n\n

\u201cEveryone knows Paradigm has big UNI \/ Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.\u201d<\/p><\/blockquote>\n\n\n\n

According to a tweet from the protocol on Aug. 17, the BitDAO token sale went ahead without a hitch, earning more than 112,000 ETH (approximately $336 million) from over 9,200 participants.<\/p>\n\n\n\n

\u201cThe entire industry basically without exception banded together to fight this […] Yes, this bill is a threat, but more important […] was how effectively the industry was able to rally and defend itself in D.C.\u201d <\/p><\/blockquote>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

SushiSwap could have lost 109,000 ETH due to a weakness in a Dutch auction smart contract discovered by the security researcher. Thanks to the help of a white hat hacker, the SushiSwap decentralised exchange narrowly escaped becoming the latest DeFi breach victim. SushiSwap and its MISO platform were saved from a potential loss of up […]<\/p>\n","protected":false},"author":13,"featured_media":8182,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[21],"tags":[153,853,591,973],"class_list":["post-8176","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-eth","tag-sushiswap","tag-tokens","tag-uniswap"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2021\/08\/image-195.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/8176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=8176"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/8176\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/8182"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=8176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=8176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=8176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}