{"id":11866,"date":"2024-03-22T10:41:46","date_gmt":"2024-03-22T08:41:46","guid":{"rendered":"https:\/\/forklog.com\/en\/white-hat-hacker-exploits-telegram-game-super-sushi-samurai-for-4-6-million\/"},"modified":"2024-03-22T10:41:46","modified_gmt":"2024-03-22T08:41:46","slug":"white-hat-hacker-exploits-telegram-game-super-sushi-samurai-for-4-6-million","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/white-hat-hacker-exploits-telegram-game-super-sushi-samurai-for-4-6-million\/","title":{"rendered":"White Hat Hacker Exploits Telegram Game Super Sushi Samurai for $4.6 Million"},"content":{"rendered":"<p>The developers of the Telegram game Super Sushi Samurai have reported that a flaw in a smart contract allowed a hacker to withdraw $4.6 million from <span data-descr=\"liquidity pool\" class=\"old_tooltip\">LP<\/span> wallets.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We have been exploited, it&#8217;s mint related. We are still looking into the code. Tokens were minted and sold into the LP. <br \/>Transaction:<a href=\"https:\/\/t.co\/F4XeqdyJu2\">https:\/\/t.co\/F4XeqdyJu2<\/a><\/p>\n<p>the exploited funds are in this wallet: <a href=\"https:\/\/t.co\/NWeTu5vMkj\">https:\/\/t.co\/NWeTu5vMkj<\/a><\/p>\n<p>\u2014 Super Sushi Samurai | SSS (@SSS_HQ) <a href=\"https:\/\/twitter.com\/SSS_HQ\/status\/1770836683426062397?ref_src=twsrc%5Etfw\">March 21, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Yuga Labs developer known as Coffee stated that this was a double-spending attack. When a user sent their wallet balance to themselves, it doubled the funds.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The <a href=\"https:\/\/twitter.com\/SSS_HQ?ref_src=twsrc%5Etfw\">@SSS_HQ<\/a> <a href=\"https:\/\/twitter.com\/search?q=%24SSS&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$SSS<\/a> LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.<\/p>\n<p>The order of operations decrements the balance for &#8220;from&#8221; and then sets the balance for &#8220;to&#8221; \u2014 if these are the same address, the\u2026 <a href=\"https:\/\/t.co\/RStMcFH3sy\">pic.twitter.com\/RStMcFH3sy<\/a><\/p>\n<p>\u2014 Coffee \u2615\ufe0f? (@coffeexcoin) <a href=\"https:\/\/twitter.com\/coffeexcoin\/status\/1770834359601217886?ref_src=twsrc%5Etfw\">March 21, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The hacker acquired 690 million SSS tokens and transferred the entire balance to themselves 25 times, doubling it each time. They then <a href=\"https:\/\/blastscan.io\/tx\/0x80012bf784b83baaf28f5549a9f233cae5f70be7afcd8f594dc757d431ed93c4\">sold<\/a> the &#8220;mined&#8221; 11.5 trillion SSS for 1310 ETH (~$4.6 million) on decentralized exchanges.<\/p>\n<p>Later, the hacker contacted the project team through a <a href=\"https:\/\/blastscan.io\/tx\/0xda2ca81e2b89ce1ac5d1faeb331cd715af3902246d62195f7d9a95bd20e2abc1\">transaction signature<\/a> and offered to return the funds. At the time of writing, negotiations are ongoing.<\/p>\n<p>Following the incident, the price of the SSS token plummeted by 99.9% according to <a href=\"https:\/\/www.coingecko.com\/en\/coins\/super-sushi-samurai\">CoinGecko<\/a>.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/3Aki_f9LvyLZuwvr6gR4Csb4CZwfMbGBtU69EUUmdwEnCVOUj6fqvRuXvJPGDuB8O6H9apVYv0-LhWM09JPm6PCC9H6nUrsbca0ydk66wv5WWetuP0TKKiY2s6gwDigGRV9nSeyT9teMUOkPLyYnpKU\" alt=\"White Hat Hacker Exploits Telegram Game Super Sushi Samurai for $4.6 Million\"\/><figcaption class=\"wp-element-caption\">Data: CoinGecko.<\/figcaption><\/figure>\n<p>The Telegram game Super Sushi Samurai operates on the Blast network. Rewards are generated through a combination of trading tax, a discount on on-chain transaction fees from Blast, and income derived from ether in the LP pool.<\/p>\n<p>Blast is an <span data-descr=\"Ethereum Virtual Machine\" class=\"old_tooltip\">EVM<\/span>-compatible scaling protocol utilizing Optimistic Rollups. The platform offers a passive income of 4-5% annually.<\/p>\n<p>The project was launched in November 2023 by the founder of the NFT marketplace Blur, known as Pacman. Initially, the protocol lacked even a test network and invited users to deposit coins via a bridge.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The developers of the Telegram game Super Sushi Samurai have reported that a flaw in a smart contract allowed a hacker to withdraw $4.6 million from LP wallets. We have been exploited, it&#8217;s mint related. We are still looking into the code. Tokens were minted and sold into the LP. Transaction:https:\/\/t.co\/F4XeqdyJu2 the exploited funds are [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":11865,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1155,1195],"class_list":["post-11866","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-games-and-gamefi","tag-white-hat-hackers"],"aioseo_notices":[],"amp_enabled":true,"views":"45","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/11866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=11866"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/11866\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/11865"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=11866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=11866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=11866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}