SushiSwap’s token platform called MISO was reportedly attacked on Thursday, with the hacker stealing 864.8 Ethereum, approximately $3 million in current prices.
SushiSwap is one of the largest decentralized exchanges (DEX) in the world and rival to Uniswap, with more than $495 million in trading volume over the last 24 hours, per CoinGecko.
As described on the project’s website, MISO is “a suite of open-source smart contracts created to ease the process of launching a new project on the SushiSwap exchange.”
According to SushiSwap’s CTO Joseph Delong, MISO fell victim to a so-called supply chain attack, which saw an anonymous contractor going under the GitHub handle AristoK3 inject malicious code into the platform’s front end and replace the auction’s wallet with their own address.
The only exploited auction was the @JayPegsAutoMart auction. The attacker inserted their own wallet address to replace the auctionWallet at the auction creation.
The exploited NFT auction in question is automobile-themed Jay Pegs Auto Mart, which has already been patched.
According to Ethereum blockchain explorer Etherscan, which has identified the address shared by Delong as the one involved in the MISO exploit, the attack occurred at 12:04 pm Eastern time on Thursday.
At 9:45 am Eastern time on Friday, Delong announced that all stolen funds were returned.
This is not the first time MISO has encountered a similar problem. On a previous occasion, however, the platform’s team got away lightly.
Last month, samczsun, a security researcher for venture capital firm Paradigm, discovered a vulnerability while examining the smart contract code of the BitDAO token sale on the MISO platform.
The researcher said that the vulnerability could have potentially resulted in a loss of about $350 million.
One week after Poly Network suffered a $600 million attack (a majority of the assets have since been returned), crypto could have been rocked by another enormous hack, this time at popular Ethereum decentralized exchange (DEX) SushiSwap. The DEX managed to avoid the expensive dilemma, however, thanks to the help of a white hat hacker.
In a post published today, samczsun—research partner at crypto-centric venture capital firm Paradigm—explained how he began examining the smart contract code yeste...
The sale concluded without any incident, raising $365 million in the process. However, it required the BitDAO team to manually end the token auction to neutralize the potential threat.
Hacker’s identity known?
SushiSwap claims there are reasons to believe that the hacker is a Twitter user @eratos1122, who “has done work with Yearn.Finance and approached many other projects.”
We have asked @FTX_Official and @Binance to turn over the attackers KYC information, but they have resisted on this time sensitive matter.
The attacker(s) has done work with @Yearn and has approached many other projects. I urge you to check your own front ends for exploits.
However, the Twitter profile Delong linked to shows a different GitHub handle, not AristoK3 as SushiSwap claims.
Delong added that SushiSwap asked crypto exchanges FTX and Binance to share the attacker’s hacker’s know-your-customer (KYC) information, “but they have resisted on this time-sensitive matter.”
“I recommend that you test your own user interface in order to identify exploits early on,” said Delong.
He also stated that SushiSwap instructed the company’s lawyer Stephen Palley to file a complaint with the FBI if the stolen funds are not returned by 8 am Eastern Time on Friday.
Editor's note [17.09.201 at 10:30 EST]: This article has been updated to show that all affected funds have been returned.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Formula 1 has renewed its partnership with exchange platform Crypto.com, extending the agreement through 2030 as both entities seek to capitalize on their shared momentum.
The renewed partnership will see Crypto.com continue to feature prominently at key Formula 1 events, including the Miami Grand Prix, where it has been the title sponsor since the race’s inception in 2022.
The deal, first inked in 2021, marked Formula 1’s foray into the crypto world at a time when digital assets were experienc...
Mo Shaikh, a co-creator of the Aptos blockchain and co-founder and CEO of the Aptos Labs firm that helps support it, announced Thursday that he's leaving the company to focus on a "new chapter."
"Today, I am stepping away from Aptos Labs to start a new chapter," Shaikh wrote on X. "One of my true passions lies in building companies from the ground up, and we have done that at Aptos Labs by building a world-class team."
"I leave Aptos Labs with the utmost confidence in the team," he continued, "a...
Building on the momentum of anticipated changes to U.S. crypto policy, Binance.US said it aims to restore its USD services in early 2025, according to a statement shared with Decrypt.
It marks the exchange's first major operational shift as regulatory pressure forced the exchange to suspend fiat trading last year.
The platform has operated under restricted banking access since June 2023, when SEC civil claims triggered a suspension of dollar deposits and withdrawals.
"While I can't provide a de...
