As token price rises and reputation mends, Sushiswap foils midnight exploit

As exploits and hacks run rampant across the DeFi ecosystem, at least one project appears to have fended off the worst of an attack — the once-maligned “vampire” AMM (automated market maker) exchange Sushiswap. 

Observers noticed last night that Sushiswap — which got its start leeching liquidity from rival AMM Uniswap — was experiencing an exploit, and that anonymous head developer 0xMaki was taking steps to mitigate it:

Possible @SushiSwap exploit found? @0xMaki sends exploiter a tx with a message to collect bug bounty.See belowtx with message from 0xMakihttps://t.co/1MdXqw9chqExploiters address:https://t.co/ehh7EassCo@DefiantNews pic.twitter.com/fRpdA1j7y1

— JuanSnow (@Juan_Snow1) November 29, 2020

Reports from the Sushiswap Discord channel now indicate that the exploit has been resolved, and that all lost user funds (between $10,000 and $15,000) will be covered by the Sushiswap treasury. 

To gain a better understanding of the exploit and what it means for Sushiswap, Cointelegraph spoke to one of the smart contract engineers that 0xMaki personally thanked on Twitter for helping to mitigate its effects: self-described “DeFi degen” and solidity developer ‘andy.’

Post-Mortem when I wake up, exploiter got around 10-15k so far from the 0.05% fees cut of Sushiswap.LP - xSushi holders are safe!It is a fascinating one thanks @andy8052 @danielque & sushi core devs for the quick reaction and help.More soon! https://t.co/QmhNMTP28L

— 0xMaki 源 義経 (@0xMaki) November 29, 2020

According to andy, 0xMaki contacted him at 10pm EDT. 

“He (0xMaki) said there was some weirdness going on but was unsure what it was. We spent about 1 hour in a discord call going through transactions until we figured out what the exploit was.”

Andy explained that the attacker wrapped liquidity pool tokens and deployed them to a new pool, allowing the attacker to execute “really weird logic to pull the underlying tokens from the reward contract.”

The affected contracts were patched within hours, and according to 0xMaki the auditing firm Peckshield will be reviewing the changes

Adding a layer of intrigue to the exploit is that 0xMaki and the Sushiswap team attempted to communicate with the exploiter as they searched to find a solution, sending a short message to the exploiters address:

“I see you, we are working on fixing it. Contact me on Discord for a bug bounty - 0xMaki,” the message read.

Similar messages have been a feature of many recent hacks and exploits, including Value DeFi’s flash loan exploit where the exploiter taunted the team (and later returned some of his ill-gained proceeds to a victim claiming to be a nurse), and the earlier Dforce hack, where the attacker returned funds with a note looking to the future.

andy, however, doesn’t think it’s the beginning of a wider trend.

“I don't see it turning into anything just cause it is expensive and inefficient,” he said.

The quick fix may also be a sign that Sushiswap's wider fortunes are on the rise. Sushiswap’s arrival on the scene, founder exitscam, and eventual return of ‘rugpulled’ funds was one of the messiest stories of the wild DeFi summer. 

With the passage of time, however, the market is once again showing signs of faith in Sushiswap. The price of the exchange’s SUSHI governance token is up over 100% on the month.

For his part, andy’s faith never wavered and the response to the attack is just another sign of the competency from the new Sushi team.

“They have been heads down working super hard. Just look at all the cool stuff they have released and are working on. It definitely doesn't hurt my view of them but also didn't really change much for me personally as I already thought pretty highly of the team.”
Ethereum advances with standards for smart contract security audits   Aug. 22, 2022
DeFi should complement TradFi, not attack it: Finance Redefined   Jan. 20, 2023
ETH Stolen From Crypto Exchange Cryptopia Moved, Portion Deposited on Exchange   May 21, 2019
3 reasons why Harmony (ONE) rallied back to its all-time high this week   Jan. 16, 2022
Ethereum Merge a 'few months after' June: Dev clears up what’s going on   April 14, 2022