SushiSwap’s token platform called MISO was reportedly attacked on Thursday, with the hacker stealing 864.8 Ethereum, approximately $3 million in current prices.
SushiSwap is one of the largest decentralized exchanges (DEX) in the world and rival to Uniswap, with more than $495 million in trading volume over the last 24 hours, per CoinGecko.
As described on the project’s website, MISO is “a suite of open-source smart contracts created to ease the process of launching a new project on the SushiSwap exchange.”
According to SushiSwap’s CTO Joseph Delong, MISO fell victim to a so-called supply chain attack, which saw an anonymous contractor going under the GitHub handle AristoK3 inject malicious code into the platform’s front end and replace the auction’s wallet with their own address.
The only exploited auction was the @JayPegsAutoMart auction. The attacker inserted their own wallet address to replace the auctionWallet at the auction creation.
Effected auctions have all been patched.
— Joseph Delong (@josephdelong) September 17, 2021
The exploited NFT auction in question is automobile-themed Jay Pegs Auto Mart, which has already been patched.
According to Ethereum blockchain explorer Etherscan, which has identified the address shared by Delong as the one involved in the MISO exploit, the attack occurred at 12:04 pm Eastern time on Thursday.
This is not the first time MISO has encountered a similar problem. On a previous occasion, however, the platform’s team got away lightly.
Last month, samczsun, a security researcher for venture capital firm Paradigm, discovered a vulnerability while examining the smart contract code of the BitDAO token sale on the MISO platform.
The researcher said that the vulnerability could have potentially resulted in a loss of about $350 million.
The sale concluded without any incident, raising $365 million in the process. However, it required the BitDAO team to manually end the token auction to neutralize the potential threat.
Hacker’s identity known?
SushiSwap claims there are reasons to believe that the hacker is a Twitter user @eratos1122, who “has done work with Yearn.Finance and approached many other projects.”
We have asked @FTX_Official and @Binance to turn over the attackers KYC information, but they have resisted on this time sensitive matter.
The attacker(s) has done work with @Yearn and has approached many other projects. I urge you to check your own front ends for exploits.
— Joseph Delong (@josephdelong) September 17, 2021
However, the Twitter profile Delong linked to shows a different GitHub handle, not AristoK3 as SushiSwap claims.
Delong added that SushiSwap asked crypto exchanges FTX and Binance to share the attacker’s hacker’s know-your-customer (KYC) information, “but they have resisted on this time-sensitive matter.”
“I recommend that you test your own user interface in order to identify exploits early on,” said Delong.
He also stated that SushiSwap instructed the company’s lawyer Stephen Palley to file a complaint with the FBI if the stolen funds are not returned by 8 am Eastern Time on Friday.