White Hat Hacker Exploits Telegram Game Super Sushi Samurai for $4.6 Million

The developers of the Telegram game Super Sushi Samurai have reported that a flaw in a smart contract allowed a hacker to withdraw $4.6 million from LP wallets.

We have been exploited, it’s mint related. We are still looking into the code. Tokens were minted and sold into the LP.
Transaction:https://t.co/F4XeqdyJu2

the exploited funds are in this wallet: https://t.co/NWeTu5vMkj

— Super Sushi Samurai | SSS (@SSS_HQ) March 21, 2024

Yuga Labs developer known as Coffee stated that this was a double-spending attack. When a user sent their wallet balance to themselves, it doubled the funds.

The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.

The order of operations decrements the balance for “from” and then sets the balance for “to” — if these are the same address, the… pic.twitter.com/RStMcFH3sy

— Coffee ☕️? (@coffeexcoin) March 21, 2024

The hacker acquired 690 million SSS tokens and transferred the entire balance to themselves 25 times, doubling it each time. They then sold the “mined” 11.5 trillion SSS for 1310 ETH (~$4.6 million) on decentralized exchanges.

Later, the hacker contacted the project team through a transaction signature and offered to return the funds. At the time of writing, negotiations are ongoing.

Following the incident, the price of the SSS token plummeted by 99.9% according to CoinGecko.

The Telegram game Super Sushi Samurai operates on the Blast network. Rewards are generated through a combination of trading tax, a discount on on-chain transaction fees from Blast, and income derived from ether in the LP pool.

Blast is an EVM-compatible scaling protocol utilizing Optimistic Rollups. The platform offers a passive income of 4-5% annually.

The project was launched in November 2023 by the founder of the NFT marketplace Blur, known as Pacman. Initially, the protocol lacked even a test network and invited users to deposit coins via a bridge.