The decentralized exchange SushiSwap narrowly avoided becoming the latest DeFi hack victim thanks to the help of a white-hat hacker.
A security researcher at venture capital firm Paradigm, known on Twitter as “samczsun”, has managed to save SushiSwap and its MISO platform from a possible loss of up to 109,000 ETH.
In a blog post published on August 17, the programmer described how he began to examine the smart contract code for BitDAO token sale on SushiSwap’s token launch pad, MISO.
Just pulled off maybe the biggest whitehat rescue ever. Story time soon
– samczsun (@samczsun) August 17, 2021
I just did the biggest white-hat rescue in history. Soon i will tell the story
Upon closer inspection, found a bug in MISO’s Dutch auction contract whereby some of the features lacked access controls.
“However, I did not expect this to be a vulnerability, as I did not expect the Sushi team to make such an obvious misstep.”
Upon further investigation, the hacker discovered a vulnerability which, if exploited, could cause a malicious actor to drain all crypto assets from the token auction contract. An attacker could reuse the same ETH over and over to make multiple calls to the contract and “bid on the free auction”.
Samczsun tested the vulnerability with a successful exploit before reaching out to colleagues Georgios Konstantopoulos and Dan Robinson to take a look and double-check the findings. Too discovered that a hacker could steal the contract funds by triggering a refund by sending an amount of ETH greater than the auction hard cap.
“All of a sudden, my little vulnerability got a lot bigger. I was not facing a failure that would allow you to outbid other participants. I was facing a bug of USD 350 million. “
It was then time to contact SushiSwap CTO Joseph Delong to formulate a rescue plan. before the exploit was discovered. It was decided that the BitDAO team conducting the token sale would manually end the auction by purchasing the remaining allocation and immediately ending the process and redeeming the funds.
SushiSwap noted that no funds were lost in the rescue effort, adding that it will pause the use of its MISO Dutch auction format until the smart contract can be updated.. The member of the cryptocurrency community “DC Investor” commented:
“Everybody knows that Paradigm has big UNI / Uniswap exchanges, but Sam from his team just helped save SushiSwap (an ostensible competitor) from a critical mistake. This is the ethos of the space between the best actors. “
The BitDAO token sale went smoothly; raised over 112,000 ETH, valued at about $ 336 million, out of more than 9,200 participants, according to a Tweet of the protocol of August 17.