A white-hat hacker has just helped SushiSwap from being the latest DeFi hack victim, saving SushiSwap and its MISO platform from potential losses of 109,000 ETH.
The programmer talked in a blog post published yesterday about how he began to examine the smart contract code for the BitDAO token sale at SushiSwap’s token launchpad platform, MISO.
As he was taking a look, he noticed a flaw in the MISO Dutch auction contract in which some functions didn’t have access controls.
“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”
But taking a closer look, the white hat noticed a vulnerability that, if it had been exploited, would have led to all of the crypto assets in the token auction contract being drained by a bad actor. The attacker could have reused the same ETH repeatedly in order to batch several calls to the contract and “bid in the auction for free.”
Samczsun then ran a test on that vulnerability and enjoyed success. He then asked colleagues Georgios Konstantopoulos and Dan Robinson to also take a look and double-check this. He further found out that a hacker could have stolen funds from the contract by triggering a refund by sending a higher amount of Ethereum than the auction hard cap.
“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
He then decided to let Joseph Delong, the CTO of SushiSwap, create a rescue plan before the exploit was publicly available.
SushiSwap confirmed that no funds were lost during the salvage effort.
Source: Cointelegraph.com