SushiSwap is a decentralized exchange platform based on Ethereum (ETH), but has since migrated to other blockchains. This one was not far from a disaster, after a researcher found a critical flaw.
Like a hair on the soup Miso
Last February, the SushiSwap platform unveiled its new product, Miso. In practice, this toolkit is intended for the creation and deployment of new cryptocurrencies on Ethereum. This one offers a wide variety of services, ranging from token creation to selling via IEOs or farming features.
However, a researcher has just identified a critical flaw in Miso’s contract, which could have resulted in the loss of 109,000 ETH, or more than $320 million at the current price.
On August 17, researcher Sam Sun, working for the venture capital fund Paradigm, published his findings first on Twitter, before detailing them in a dedicated article.
A flaw on SushiSwap a little too obvious?
That’s what @samczsun said after discovering the flaw. The latter actually started his research after seeing that a Dutch auction-style sale was underway on the Miso platform for the BitDAO project. After a cursory inspection of the Dutch auction mechanism’s contracts, the researcher identified a function with no access control:
“I noticed that the initMarket function had no access control, which was extremely concerning. In addition, the initAuction function it called also contained no access control.”
After a few moments in front of the code, @samczsun quickly realized that he was reading the exact same code that was implicated in the hack that hit the Opyn protocol in August 2020.
“My instinct was that this was the real deal, but I couldn’t be sure without checking it. I quickly opened Remix and wrote a proof of concept. I quickly created a command-line fork of mainnet and tested my attack. It worked.”
Soon, he had other colleagues check his find and contacted Joseph Delong, the CTO of the Sushi project. After discussion, they decided to save the funds by purchasing the remaining allocation and immediately finalizing the auction, which requires the authorization of an administrator.
Subsequently, the completion of the transaction was done in collaboration with the Sushi team as well as BitDAO who had done the fundraising. More fear than harm, the contract has since been repaired and the Miso platform seems to have recovered its security.
Anyway, this rescue in extremis is not without reminding the recent case involving the Poly-Network hack, in which the attacker finally gave back the funds, going from malicious hacker to white hat.