White-hat crypto hacker prevents $350 million dollar SushiSwap heist
An expert in cryptocurrency applications Samczun has revealed how top-tier ETH developers saved SushiSwap (SUSHI) from a $350 million hack.
- Cryptocurrency expert identifies flaw in code on SushiSwap
- SushiSwap was contacted and debriefed on the vulnerability
- Mass coordination efforts took place to fix problem and prevent funds from being lifted from the network
Twitter user @samczsun, the security expert of a high-profile VC firm Paradigm, shared how he spotted and reported one of the most critical bugs in Ethereum DeFi segment’s history.
According to a story shared by @samczsun on the official Paradigm’s website, he noticed a discussion in Telegram between Ethereum (ETH) developers about the MISO, a SushiSwap-centric token sale instrument.
A white-hat hacker noticed that two functions had no access control and one function was not initialized.
But then, he found way more sensitive bugs: due to the flaws in MISO Dutch Auction design, hypothetical malefactors were able to drain all the liquidity from the $350 million contract.
The contract is vulnerable to a flaw which also affects Opyn Defi’s contracts. Early this August, the contract lost almost 370,000 USD Coin (USDC).
“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
To double-check his findings, Mr. Samczsun contacted his colleagues Georgios Konstantopoulos, Dan Robinson and SushiSwap (SUSHI) CTO Joseph Delong.
“To my surprise (and horror), I found that a refund would be issued for any ETH sent which went over the auction’s hard cap. This applied even once the hard cap was hit, meaning that instead of rejecting the transaction altogether, the contract would simply refund all of your ETH instead.”
The developers reached out to the team behind the auction (BitDAO) and asked them if they could manually repurchase the tokens.
Due to this quick and decisive action, all funds were retrieved in less than five hours. Mr. Samszun argues that using ‘safe’ components does not necessarily protect the whole system from danger.
“Safe components can come together to make something unsafe. I’ve preached this before in the context of composability and DeFi protocols, but this incident shows that even safe contract-level components can be mixed in a way that produces unsafe contract-level behavior.”