The security researcher found a flaw in a dutch auction smart contract that could have resulted in the loss of 109,000 ETH.
The SushiSwap decentralized exchange has narrowly avoided becoming the latest DeFi hack victim thanks to assistance from a white hat hacker.
A security researcher from venture capital firm Paradigm known on Twitter as “samczsun” has managed to save SushiSwap and its MISO platform from a potential loss of as much as 109,000 ETH.
In a blog post published on Aug. 17, the programmer described how he began examining the smart contract code for the BitDAO token sale at SushiSwap’s token launchpad platform, MISO.
Just pulled off maybe the biggest whitehat rescue ever. Story time soon
— samczsun (@samczsun) August 17, 2021
On closer inspection, he found a flaw in the MISO Dutch auction contract whereby some of the functions lacked access controls.
“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”
Upon deeper investigation, the white hat discovered a vulnerability that, if exploited, could result in all of the crypto assets in the token auction contract being drained by a malicious actor. An attacker could reuse the same ETH over and over to batch multiple calls to the contract and “bid in the auction for free.”
Samczsun tested the vulnerability with a successful exploit before contacting colleagues Georgios Konstantopoulos and Dan Robinson to take a look and double-check the findings. He also discovered that a hacker could steal the funds from the contract by triggering a refund by sending a higher amount of ETH than the auction hard cap.
“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
Related: Poly Network hack exposes DeFi flaws, but community comes to the rescue
It was then time to reach out to SushiSwap CTO Joseph Delong to formulate a rescue plan before the exploit was discovered in the wild. It was decided that the BitDAO team holding the token sale would manually end the auction by purchasing the remaining allocation and immediately finalizing the process and rescuing the funds.
SushiSwap noted that no funds were lost in the salvage effort, adding that it will pause the use of its MISO Dutch auction format until the smart contract can be updated. Crypto community member “DC Investor” commented:
“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”
The BitDAO token sale went off without a hitch raising more than 112,000 ETH, valued at roughly $336 million, from over 9,200 participants according to a tweet from the protocol on Aug. 17.