One week after Poly Network suffered a $600 million attack (a majority of the assets have since been returned), crypto could have been rocked by another enormous hack, this time at popular ETH decentralized exchange (DEX) SushiSwap. The DEX managed to avoid the expensive dilemma, however, thanks to the help of a white hat hacker.
In a post published today, samczsun—research partner at crypto-centric venture capital firm Paradigm—explained how he began examining the smart contract code yesterday for the BitDAO token sale at SushiSwap’s MISO platform, a “launchpad” for new tokens. That sale ultimately went off without a hitch, raising $365 million in the process, but it all could have gone very wrong.
A smart contract is a bit of code that performs set instructions, and it is the backbone of blockchain-based decentralized apps (dapps), including the decentralized finance (DeFi) protocols that allow people to lend, borrow or trade without financial intermediaries. However, in this case, samczsun says he spotted potential issues with the smart contract. Further experimentation revealed an exploit that could lead to all of the ETH in the token auction contract being drained by an attacker.
“My little vulnerability just got a lot bigger,” he wrote, after discovering that the initial flaws were part of a potentially much larger exploit. “I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
According to his post, samczsun looped in Paradigm colleagues Georgios Konstantopoulos and Dan Robinson to double-check his hypothesis. They quickly connected with the SushiSwap team to discuss possible solutions. Ultimately, after discussion between Paradigm, SushiSwap, and representatives of bug bounty platform Immunefi, they reached a decision: the BitDAO team holding the token sale would manually end the token auction to neutralize the potential threat.
The SushiSwap team shared additional information about the discovered exploit, noting that no funds were lost and no user action is needed as a result. SushiSwap will pause use of its MISO Dutch auction format until the smart contract can be updated.
SushiSwap is one of the most popular decentralized exchanges, with more than $444 million in trading volume over the last 24 hours per CoinGecko. Users can earn rewards by placing an array of -based tokens into liquidity pools, which are used to facilitate trades without the need to directly connect buyers with sellers.
It began life in 2020 as a copycat of Uniswap, the leading DEX, but distinguished itself with the use of a native governance token, SUSHI—an approach that Uniswap soon adopted itself. SushiSwap has continued to diversify its DeFi feature offerings, including with the launch of the MISO token sale platform. We’ll see whether today’s disclosure of a narrowly avoided exploit leads to more cautious expansion ahead for the exchange.