Hacker stole more than $3 million from SushiSwap’s MISO platform
The attacker siphoned 864.8 ETH (about $3.09 million) from an NFT auction on SushiSwap’s MISO protocol IDO-platform.
The hacker returned all stolen funds, transferring them in three transactions to the SushiSwap address.
The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.
864.8 ETH was stolen, address belowhttps://t.co/cDZeBqFV4P
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
SushiSwap CTO Joseph Delong said that an anonymous contractor using the GitHub handle AristoK3 injected malicious code into the MISO front end and spoofed the auction address.
Around 19:00 (MSK), the funds were sent to the attacker-controlled wallet, which Etherscan now marks as linked to the MISO exploit.
According to Delong, the team believes the attacker is known on Twitter under the alias 0x A.K. The user describes himself as a blockchain and web developer.
The assumption proved incorrect; the SushiSwap CTO apologised to the developer who, by his account, did most of the work for MISO.
I’ll say sorry. I’ll even say you’re pretty now that the funds have been returned https://t.co/aE4XyQfEcz
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
Delong warned that the contractor also did work for the DeFi project yearn.Finance.
Experts from MISO asked exchanges FTX and Binance for information about the hacker’s identity, but received no cooperation, Delong said. If funds are not returned by 15:00 (MSK) on September 17, they will turn to the FBI.
The attacker transferred 100 ETH after the deadline to the Sushi multisig wallet.
«I hope, he will send the rest», — wrote Delong.
100 ETH has been returned to the Sushi multisig. Hoping the attacker sends the resthttps://t.co/PpvYCaIUeq https://t.co/Xz7uQiHRW9
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
Approximately an hour after the first transaction, the hacker returned another 700 ETH.
Delong clarified that only the Jay Pegs Auto Mart auction was affected. The team has assured users they will still receive the purchased NFTs from the 2007 Kia Sedona series, despite the theft of funds. The release is scheduled for September 21.
Hey folks. Everyone will still receive their 2007 Kia Sedona NFTs, and the exchange is still scheduled to begin on 9/21/2021. https://t.co/oYgqyHY8Jp
— Jay Pegs Auto Mart (@jaypegsautomart) September 17, 2021
Earlier, a white-hat hacker helped fix a vulnerability in MISO that could have led to the loss of 109,000 ETH (~$350 million at the time).
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!