A hacker exploited a bug in a newly launched gaming token on Blast network — Super Sushi Samurai — to steal roughly $4.6 million worth of Ethereum on March 21 — less than a month from its launch.

The exploit resulted in an approximately 99% slippage in the token’s value following an unauthorized token dump. The attacker extracted 1310 ETH from the token’s main liquidity pool by doubling their balance repeatedly and then selling it all, according to the details Certik shared with CryptoSlate.

Super Sushi Samurai was scheduled to launch its web3 game on the same day. The incident may have been conducted by a white hat hacker currently in touch with the Super Sushi Samurai team. However, the details are unclear as of press time.

Duplication bug

Investigations into the incident revealed that an unauthorized party acquired 690 million SSS tokens and subsequently initiated a series of transactions through an attack contract specifically designed for this purpose.

By exploiting a vulnerability within the platform’s _update() function, the attacker was able to duplicate the tokens in their possession 25 times. This manipulation inflated the token quantity to 11.5 trillion, which was eventually exchanged for approximately 1,310 ETH, equivalent to around $4,590,827.

The exploit leveraged a flaw in the smart contract’s balance update mechanism, which failed to accurately reflect the changes when tokens were transferred to the same address. This oversight enabled the exponential increase in the attacker’s token balance without legitimate transactions.

In February, the same bug was used to exploit an Ethereum-based token called MINER. The hack resulted in a loss of 168.8 ETH.

Recovery efforts

Following the breach, Super Sushi Samurai has engaged with its community, providing updates and assurances through its official Telegram channel and other social media platforms.

The team said it is trying to contact the exploiter, and the most recent tweet from the gaming platform indicates a white hat hacker has reached out about the incident. However, it is unclear whether the white hat is responsible for the exploit or helping recover the funds as of press time.

Super Sushi Samurai said:

“We’re working with the white hat on the safe return of funds. An update and post-mortem will follow.”

The address containing the compromised funds has been publicly disclosed in an effort to facilitate the tracking and potential recovery of the lost assets:

“0x786C8f95C17BB990a040dc4D6539B01FC1b72842”

The team’s communication efforts aim to keep stakeholders informed about the incident’s developments and the measures to address the security vulnerability.

This incident highlights the critical importance of robust security protocols in the crypto sector, where the digital nature of assets makes them vulnerable to such exploits. It also highlights platforms’ ongoing challenges in safeguarding against sophisticated cyber threats.

The post New gaming token on Blast exploited for $4.6 million – white hat hacker involved appeared first on CryptoSlate.