White Hat Hacker Group Prevents $350 Million SushiSwap DeFi Heist

A collective effort from the crypto community has saved SushiSwap’s token fundraising platform from a potential US$350 million heist. A vulnerability was found in the code by a partner of Paradigm, which could have led to an auction being hacked if discovered by a malicious actor.

SushiSwap’s token fundraising platform, MISO, had one of its smart contracts used in a “Dutch auction”. The vulnerability created a ticking time bomb situation for the platform to potentially lose 109,000 ETH (US$350 million) before the auction ended.

According to a post published by SushiSwap on Monday, Paradigm security researcher Sam Sun (aka samczsun) and colleagues Georgios Konstantopoulos and Daniel Robinson worked together to solve the problem with the “Dutch auction” contract on the Miso platform. Sun was scanning through the code when he came upon the vulnerability:

Auditor's logs, 16th of August. I found a critical vulnerability in SushiSwap's MISO platformhttps://t.co/untzdxay7q

— @samczsun.com (@samczsun) August 17, 2021

Complex Smart Contracts in DeFi Need to be Secure

In Sun’s words: “Unfortunately, while composing two components might be safe most of the time, it only takes one vulnerability to cause serious financial damage to hundreds if not thousands of innocent users.”

This incident shows that even safe contract-level components can be mixed in a way that produces unsafe contract-level behaviour. There’s no catch-all advice to apply here, like ‘check-effect-interaction’, so you need to be cognisant of what additional interactions new components are introducing.

Samczsun

According to SushiSwap, the issue created a “two-pronged issue where a user can both put up a commitment higher than ‘msg.value’, thereby draining any unsold tokens, and additionally drain the raised funds on the contract as refunds if the auction has reached max commitment”.

“Users could over-bid and get a refund of the difference between the current bid and the amount they submitted, but the refund could be repeated to drain the auction contract,” adds Duncan Townsend, CTO at Immunefi, a bug bounty platform for DeFi that was also recruited to help solve the issue.

I had gone from encounter to discovery in a little over half an hour, disclosure in 20 minutes, war room in another 30, and a fix in three hours. All in all, it took only five hours to protect 350 million USD from falling into the wrong hands.

Samszsun

Preventing Attacks with Secure DeFi Contracts

In the case of the SushiSwap vulnerability, many in the crypto community have taken to social media to praise and show support for the collective rescue efforts led by the research arm at Paradigm.

> found and helped patch a vulnerability that put over 109k ETH at risk

everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug

this is the ethos of the space among the best actors https://t.co/5GC7pDS1Jh

— DCinvestor (@iamDCinvestor) August 17, 2021

This event took place after the biggest DeFi exploit to date last week when cross-chain DeFi site Poly Network was attacked, losing more than US$600 million worth of cryptocurrencies, due to a bug.

Other recent instances such as the Thorchain attack or ICX coding flaw exploit have also been due to vulnerabilities in code.

The DeFi space is one of blockchain’s newest innovations with lots of potential for growth and wealth creation. However, the industry is in its infancy with much to be learned, and since there’s so much money on the table there will usually be vultures circling around.