In Brief:
- A security researcher from Paradigm has managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 Ether.
- SushiSwap noted that no funds were lost in the salvage effort.
With the assistance of a “white hat hacker” The SushiSwap decentralized exchange narrowly avoided becoming the latest decentralized finance hack victim.
A security researcher from venture capital firm Paradigm, Samczsun, managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 Ether (ETH).
Samczun claimed in a blog post that he found a vulnerability that was threatening over $350 million or 109,000 ETH (~350 million USD) from the MISO platform. The programmer described how he began examining the smart contract code for the BitDAO token sale on Miso.
He said that the exploit involved protocols that were otherwise safe and bug-free, but their composite was not.
He found a flaw in the Miso Dutch auction contract. According to the flaw, some of the functions lacked access controls.
“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”
Upon investigating further, the hacker found a vulnerability that could have resulted in all of the crypto assets being drained by a malicious actor. An attacker could reuse the same ETH over and over to batch multiple calls to the contract and “bid in the auction for free.”
Fixing The Bug
The malicious actor could trigger a refund to steal the funds on the SushiSwap. The attacker would have had only to send a higher amount of ETH than the auction hard cap. Samczun said:
“This applied even once the hard cap was hit, meaning that instead of rejecting the transaction altogether, the contract would simply refund all of your ETH instead”. The white hacker set up “poor man’s Mainnet fork on the command line” after he discovered vulnerability.
Once the thesis was verified, the white hacker reported the bug to SushiSwap’s CTO Joseph Delong. He and other members of the protocol team coordinated a response to remove the bug. The team and Samczun “rescued” the funds by buying the remaining items. Thus, the auction was finalized.
Also Read: The Biggest Defi Hack: Poly Network Drained of $611M
As pseudonym community member DC Investor said, the fact that the vulnerability was discovered by a white-hat hacker says a lot about the “ethos” of the Ethereum ecosystem.
DC said, “Found and helped patch a vulnerability that put over 109k ETH at risk everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug this is the ethos of the space among the best actors.”
