A security researcher discovered a vulnerability that put over $350 million worth of Ethereum at risk on SushiSwap and made sure it was patched.
The researcher decided to investigate SushiSwap’s code
In a blog post, samczsun, a security researcher at venture capital firm Paradigm, explained that he happened to come across a discussion about a capital raise on the platform. As a result, he decided to inspect the project’s code on Etherscan.
In the process, he came across a vulnerability in the MISO Dutch Auction Contract, where some functions had no access control. Upon further investigation, the researcher discovered a vulnerability that, if exploited, could result in all crypto assets in the token auction contract being drained by a malicious actor. Samczsun tested the vulnerability with a successful exploit before turning to his colleagues Georgios Konstantopoulos and Dan Robinson to take a look and review the findings.
Fixing the bug was more complicated than expected
Samzcun and the SushiSwap team tried to fix the vulnerability by buying the allocated funds with a flash loan. This would have ended the auction and allowed them to repay the flash loan with funds from the auction. The plan was complicated by the fact that there was a concurrent batch auction that did not work the same way and was not vulnerable to the exploit. At some point, it was decided that the BitDAO team running the token sale would manually end the auction by buying the remaining allocation and immediately completing the process and retrieving the funds. Samzcun noted that it only took five hours to recover the funds.
Today’s announcement comes just days after the attack on Poly Network, another high-profile DeFi platform. In this hack, the vulnerability was not found in time, so a hacker managed to exploit the protocol and steal $600 million from it.