How White Hats Saved SushiSwap From Potential $350 Million Exploit
Market Musings

How White Hats Saved SushiSwap From Potential $350 Million Exploit

5mo ago

White hats from Paradigm and saved SushiSwap from a potential $350 million exploit, after samczsun discovered a vulnerability on SushiSwap's Miso dutch auction contract.

How White Hats Saved SushiSwap From Potential $350 Million Exploit

Table of Contents

The decentralized finance (DeFi) space is no stranger to security breaches and hacks. This year alone, there have been several high-profile attacks on DeFi protocols, including PancakeBunny’s $200 million exploit and the record $612 million hack on Poly Network. Data from Messari, a crypto analytics firm, suggests that over $284 million has been lost to DeFi attacks since 2019. In another data published by blockchain forensics firm CipherTrace, DeFi-related hacks and fraud cases rose to $474 million in the first seven months of the year.

Commenting on the spate of hacks, Dave Jevans, CipherTrace's chief executive officer, told Reuters in an email that:

Just eight months into 2021 and DeFi hacks, thefts, and frauds have already surpassed the total DeFi crimes from 2020. This means regulators around the globe are paying closer attention to DeFi specifically.

A Stitch In Time…

Speaking of DeFi attacks, a group of individuals in the crypto community has stopped what could have become yet another high-profile attack on a DeFi protocol. Paradigm’s research partner samczsun discovered a flaw in a Dutch auction smart contract, and raised it to his colleagues Georgios Konstantopoulos and Daniel Robinson. This exploit could have cost SushiSwap and its fundraising platform Miso more than $350 million worth of Ether (109,000 ETH).
According to a Monday post from SushiSwap, samczsun and his colleagues from Paradigm reached out to its team notifying them of a vulnerability on the Dutch auction contract on the Miso platform.
Combining batch with commitEth (a function on Miso Dutch Auction) creates a two-pronged issue where a user can both put up a commitment higher than ‘msg.value’ thereby draining any unsold tokens and additionally drain the raised funds on the contract as refunds if the auction has reached max commitment.

The security researchers discovered and fixed the bug in under five hours. And thanks to their efforts, SushiSwap confirmed that no funds were lost.

The Vulnerability on SushiSwap Miso

In a Tuesday blog post, samczsun described how he spotted the vulnerability while perusing the smart contract code for the BitDAO token sale on SushiSwap’s Miso platform. Although everything appeared in order, he found a flaw in the Miso Dutch auction contract. Some of the functions had no access control checks. He said:
However, near the bottom, I noticed that the initMarket function had no access controls, which was extremely concerning. Furthermore, the initAuction function it called also contained no access control checks [...] I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep. Sure enough, the initAccessControls function validated that the contract had not already been initialized.

Upon further investigation, he discovered an even bigger issue that could have led to the loss of all the cryptocurrencies in the token auction contract if exploited. The vulnerability would allow a malicious actor to reuse the same ETH multiple times, giving the attacker the ability to “bid in the auction for free.”

Sam tested his theory, which turned out to be true. He then contacted his colleagues Georgios Konstantopoulos and Dan Robinson to double-check his findings. He ran a second check through the smart contract and discovered that an attacker could also steal funds from the contract through a “refund logic” by sending a higher amount of ETH than the auction’s hard cap.

I had noticed there was some refund logic during my initial scan but thought little of it […] To my surprise (and horror), I found that a refund would be issued for any ETH sent which went over the auction’s hard cap. This applied even once the hard cap was hit, meaning that instead of rejecting the transaction altogether, the contract would simply refund all of your ETH instead […] Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.

At this point, the programmer reached out to SushiSwap’s chief technology officer Joseph Delong to come up with a rescue plan before the exploit meets the wrong eyes. As a first step, it was decided that the BitDAO team would manually end its auction by purchasing the remaining allocation of its token sale. This would allow them to finalize the process and rescue the funds.

As earlier mentioned, SushiSwap confirmed that no funds were lost in the rescue operation. It also announced that it will suspend the use of its Miso Dutch auction until the contract is updated.

Meanwhile, Sam and his team have earned some accolades for their actions. Crypto community member DCinvestor said:

“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”

Twitter user BanhbaoCrypto wrote. “The Defi superhero we all need but don’t deserve!”

White hats are taking over

In the closing part of his blog post, samczsun reflected on a very important lesson. Smart contracts and blockchain tech, in general, are still in their nascent stages and have a lot of room to grow. He pointed out that even “safe components can come together to make something unsafe.”

With the help of ethical programmers like Sam, the road to discovery should not be filled with too many incidents of hacks and loss of investors’ funds

Sam's latest discovery happened several days after cross-chain DeFi protocol Poly Network lost more than $600 million worth of cryptocurrencies in an exploit. Thankfully, the attacker in the case of Poly Network was also a white hat hacker and has since then returned the entire loot.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.