White hat potentially saves SushiSwap $350M by finding ‘obvious’ exploit
The SushiSwap decentralized exchange has narrowly avoided becoming the latest decentralized finance hack victim thanks to assistance from a white hat hacker.
A security researcher from venture capital firm Paradigm, known on Twitter as Samczsun, has managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 Ether (ETH).
In a blog post published on Tuesday, the programmer described how he began examining the smart contract code for the BitDAO token sale on SushiSwap’s token launchpad platform, Miso.
Just pulled off maybe the biggest whitehat rescue ever. Story time soon
— samczsun (@samczsun) August 17, 2021On closer inspection, he found a flaw in the Miso Dutch auction contract whereby some of the functions lacked access controls.
“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”Upon deeper investigation, the white hat discovered a vulnerability that, if exploited, could have resulted in all of the crypto assets in the token auction contract being drained by a malicious actor. An attacker could reuse the same ETH over and over to batch multiple calls to the contract and “bid in the auction for free.”
Samczsun tested the vulnerability with a successful exploit before contacting colleagues Georgios Konstantopoulos and Dan Robinson to take a look and double-check the findings. He also discovered that a hacker could steal the funds from the contract by triggering a refund by sending a higher amount of ETH than the auction hard cap.
“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”Related: Poly Network hack exposes DeFi flaws, but community comes to the rescue
It was then time to reach out to SushiSwap chief technology officer Joseph Delong to formulate a rescue plan before the exploit was discovered in the wild. It was decided that the BitDAO team holding the token sale would manually end the auction by purchasing the remaining allocation and immediately finalizing the process and rescuing the funds.
SushiSwap noted that no funds were lost in the salvage effort, adding that it will pause the use of its Miso Dutch auction format until the smart contract can be updated. Crypto community member DCinvestor commented:
“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”The BitDAO token sale went off without a hitch, raising more than 112,000 ETH, valued at roughly $336 million, from over 9,200 participants according to a tweet from the protocol on Tuesday.