SushiSwap Hacked for $3M but Funds Returned Almost Immediately

A mystery rogue developer who allegedly drained 864.8 ETH (US$3 million) from a MISO auction has returned the funds to the original token contract.

All funds returned 🙌

— joseph.eth (@josephdelong) September 17, 2021

SushiSwap’s token launch platform suffered a supply chain attack last week that targeted its ‘Jay Pegs Auto Mart’ auction contract.

The exploit was first identified on September 17 by Sushi’s CTO Joseph Delong, who tweeted a link to the transaction that drained the funds from the protocol.

According to Delong, an anonymous contractor injected malicious code into the MISO front end, replacing the original contract for the Jay Pegs Auto Mart token auction – a parody NFT project imitating the value of a 2007 Kia – with a personal Ethereum address. A total of 864.8 ETH was transferred to the address, but no other auctions were affected.

Threat of Legal Action Prompts Return of Funds

In a string of since-deleted tweets, Delong said that Sushi had “reason to believe” the attacker was eratos1122, a pseudonymous developer who worked with Sushi and other DeFi projects. Delong put up a trail of transactions linked to the hacker’s original address and an ultimatum was also posted threatening the hacker with legal action if the funds weren’t reinstated.

A couple of hours later, the hacker returned 865 ETH to the original MISO contract. Data from Etherscan showed that the hacker’s address was almost completely empty, with Delong himself confirming the news on Twitter.

Accused Developer Threatens Retaliation

It’s still not clear who the attacker was and Delong’s original tweets accusing the former MISO developer have been deleted. The accused person threatened to release some of the MISO code he was working on in the absence of an apology from Sushi and Delong.

While many saw this as a clear sign of the developer’s involvement in the incident, neither Sushi nor any of its founders have commented further on the issue.

https://twitter.com/eratos1122/status/1438802630151655427

Some among the crypto community have slated Sushi and Delong for their handling of the situation. With the protocol mostly built by anonymous developers, making accusations without a proper investigation has negatively affected Sushi’s reputation.

Despite funds returned, Miso incident was handled poorly imo. CTO throwing accusations and cracking doxxing jokes while Sushi was mostly built by anon contributors is not a good look. You can't control the mob once you unleash it.

— banteg (@bantg) September 17, 2021

Just last month, a collective effort from the crypto community saved SushiSwap’s token fundraising platform from a potential US$350 million heist.

Almost simultaneous with the MISO exploit, SUSHI gained 23 percent in 24 hours following a growth spurt for decentralised exchange tokens (DEX).