SushiSwap could have lost 109,000 ETH due to a weakness in a Dutch auction smart contract discovered by the security researcher.
Thanks to the help of a white hat hacker, the SushiSwap decentralised exchange narrowly escaped becoming the latest DeFi breach victim.
SushiSwap and its MISO platform were saved from a potential loss of up to 109,000 ETH thanks to a security researcher from venture capital company Paradigm identified on Twitter as “samczsun.”
The programmer revealed how he began investigating the smart contract code for the BitDAO token sale at SushiSwap’s token launchpad platform, MISO, in a blog post published on Aug. 17.
Just pulled off maybe the biggest whitehat rescue ever. Story time soon
— samczsun (@samczsun) August 17, 2021He discovered a weakness in the MISO Dutch auction contract, where several of the functions lacked access controls, upon closer study.
“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”
The white hat uncovered a vulnerability that, if abused, could lead to a bad actor draining all of the crypto assets in the token auction contract. An attacker might “bid in the auction for free” by repeatedly using the same ETH to batch several calls to the contract.
Before notifying colleagues Georgios Konstantopoulos and Dan Robinson, Samczsun tested the vulnerability with a successful exploit. He also revealed that a hacker may steal the contract’s cash by triggering a refund by sending more ETH than the auction’s hard cap.
“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
Before the exploit was detected in the wild, it was time to contact SushiSwap CTO Joseph Delong to devise a rescue strategy. The BitDAO team in charge of the token sale opted to manually conclude the auction by purchasing the remaining allotment and completing the procedure and retrieving the cash.
SushiSwap stated that no cash were lost during the recovery process, but that company will halt the use of its MISO Dutch auction structure until the smart contract is upgraded. “DC Investor,” a member of the crypto community, commented:
“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”
According to a tweet from the protocol on Aug. 17, the BitDAO token sale went ahead without a hitch, earning more than 112,000 ETH (approximately $336 million) from over 9,200 participants.
“The entire industry basically without exception banded together to fight this […] Yes, this bill is a threat, but more important […] was how effectively the industry was able to rally and defend itself in D.C.”
