White-hat hacker foils $350m theft in SushiSwap DeFi project

Paradigm partner and cybersecurity expert Sam San explained how he identified and helped fix a vulnerability in the SushiSwap DeFi project. The bug threatened losses of more than 109,000 ETH (about $350 million at the time).

Auditor’s logs, 16th of August. I found a critical vulnerability in SushiSwap’s MISO platformhttps://t.co/untzdxay7q

— samczsun (@samczsun) August 17, 2021

The expert studied SushiSwap’s platform for issuing new tokens and raising funds via MISO (Minimal Initial SushiSwap Offering). It offers two auction types — batch and Dutch.

The bug drew attention after a hacker exploited it in an attack on Opyn. Back then the attacker withdrew around $371,000 of user funds from the DeFi project.

In the case of MISO, the risk was greater. Sam San discovered that the vulnerability would allow a refund for every ETH sent beyond the cap during the auction, meaning that instead of rejecting the transaction the contract would simply reimburse all funds.

“Suddenly a small vulnerability became much bigger. I wasn’t dealing with a bug that would allow outbidding other participants. I found a $350 million bug,” the researcher wrote.

The assets were held in the contract of an active Dutch auction on MISO.

Sam San contacted the SushiSwap team and several external experts. The group devised three potential solutions to the problem:

• keep everything unchanged, assuming no one would discover the bug;
• secure the funds by withdrawing them using an exploit;
• complete the auction manually.

The group chose the last option.

However, the issue extended to an active $8 million batch auction on MISO, which was left alone, as there was no way to force a conclusion.

“In total, it took just five hours to protect $350 million from falling into the wrong hands. Even though there was no monetary loss, I’m sure all participants would have preferred not to go through this process,” said Sam San.

He concluded that even safe components of DeFi protocols, when integrated, can introduce contract-level vulnerabilities.

As of writing, the largest DeFi hack remains the the $611 million theft of assets from the Poly Network protocol.

The hacker returned all stolen funds to the project and declined the $500,000 reward. According to him, he carried out the attack “for fun.”

Subscribe to ForkLog news on Facebook.