A white-hat hacker has nipped a potential 109,000 Eth DeFi hack in the bud. The discovery of an “obvious flaw” in the SushiSwap smart contract saved the Ethereum ecosystem an embarrassing loss. This would have been only a few days after the Poly Network $600 Million incident.
The security researcher working with Paradigm investment firm reported how he discovered an apparent vulnerability in a blog post. He went on to patch up the flaw and saved the MISO platform-based DeFi protocol a whopping $350 Million loss. The white-hat hacker, known as “samczsun” on Twitter wrote:
“Just pulled off maybe the biggest white-hat rescue ever. Story time soon.”
Such an obvious misstep
Samczsun explained in the blog post how he started examining the smart contract. This was after realizing that an auction was going on. The programmer scrutinized the code for the BitDAO token sale and discovered some functions had missing access controls. He wrote:
“I didn’t really expect this to be a vulnerability, though, since I didn’t expect the Sushi team to make such an obvious misstep. Sure enough, the in-it Access Controls function validated that the contract had not already been initialized.”
Upon deeper scrutiny, samczsun realized a flaw that any malicious hacker could easily exploit. The vulnerability could have drained SushiSwap of all its crypto assets. The flaw could allow an attacker to use the same Ethereum as many times as they wished to batch numerous calls and “bid in the auction for free” multiple times. Apart from free bids, a criminal could have also stolen funds by triggering refunds. All that the hacker would do is send more ETH than the hard auction cap. According to Samczsun:
“This applied even once the hard cap was hit, meaning that instead of rejecting the transaction altogether, the contract would refund all of your ETH instead […] suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
No funds were lost
After successfully testing the vulnerability, the programmer reached out to colleagues Georgios Konstantopoulos and Dan Robinson. They double-checked and validated his findings. That’s when he reached out to SushiSwap CTO Joseph Delong. He advised that they create a rescue plan before the exploit was discovered in the wild.
SushiSwap reported that no funds were lost and announced they had posed using the MISO Dutch auction format. D.C. Investor, a crypto community member, commented:
“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”
The United States’ state department recently enlisted the help of white hat hackers to help prevent similar incidents aimed at government infrastructure. The U.S.’s initiative comes with a $10 million incentive.
Tom is a freelance writer with over 10-years’ experience in content creation, blog writing, and SEO specializing in the blockchain and cryptocurrency niche. As a philosophical figurehead, he believes that to make our world a better place, we must invest in incorruptible products and procedures, of which Bitcoin and other cryptocurrencies are leading examples.