SushiSwap Hacked for $3 million
The Intelligent Insurer #34 - Hacker exploits MISO platform and returns funds less than 24 hours later
Decentralized exchange SushiSwap was the victim of a hack recently, with the attacker tapping into roughly $3 million worth of ETH. The stolen funds were returned less than 24 hours after the hack, without explanation. In the latest Intelligent Insurer, we outline the events surrounding this hack, the exploit the hacker leveraged, and the effect that incidents like these have on the wider DeFi ecosystem. Before we dive into these developments, we review our weekly development update.
Insured Finance Development Update
We continue to make rapid progress towards our Alpha release. We deployed our front end on the Mumbai testnet last week, which users can explore here. We also managed to hit some key milestones over the past week, including:
We’ve deployed all smart contracts to the Mumbai testnet along with the subgraph. Users can access The Graph by clicking on this link. The Graph allows third-party contracts and platforms to query data from the Insured Finance marketplace.
We set up 25 accounts with testnet INFI tokens. Currently, 5 accounts are being tested and we’ll create a form to invite members of the community to sign up.
Smart contracts related to token distribution are currently under testing on the Goerli testnet.
We’ve made significant progress on development over the past week and continue to develop “how-to” documentation related to the project. We’re monitoring performance, analytics, and testing issues as we move forward towards our vision of creating the premier insurance marketplace for the digital asset industry.
Attacker Exploits MISO Smart Contracts on SushiSwap
According to the project’s website, MISO is “a suite of open-source smart contracts created to ease the process of launching a new project on the SushiSwap exchange.” It is an integral part of SushiSwap, one of the largest decentralized exchanges in the world. According to CoinGecko, the exchange witnessed trading volumes over $592 million over the past 24 hours. On Thursday, September 16th, Joseph Delong, CTO of SushiSwap, tweeted that MISO was the victim of a “supply chain attack”.
In his thread, Delong reported that a GitHub contractor with the handle AristoK3 took advantage of an ongoing NFT auction by injecting malicious code into the system’s front end. The hacker substituted the auction wallet’s address with a malicious one that presumably belonged to them.
This wallet accumulated 865.1 ETH, roughly $3 million at the time of writing, before the exploit was discovered and stopped by the SushiSwap team. The only auction affected by this exploit was Jay Pegs AutoMart, with other auctions escaping unscathed. The platform’s native token SUSHI dropped by 9% following the announcement. In addition, Delong identified a Twitter user with the handle @eratos1122 as the hacker.
Stolen funds returned within 24 hours
Delong’s announcement was followed with the assurance that the project team was investigating the incident. He mentioned that SushiSwap had contacted Binance and FTX to uncover the attacker’s identity, thanks to discovering that the malicious wallet had been used to withdraw funds from those exchanges in the past.
While the exchanges declined Delong’s request, this discovery called the hacker’s sophistication into question. After all, using a wallet connected to KYC-mandated exchanges made it easy for authorities to trace their identity. This is perhaps what allowed Delong to confidently claim that he knew the attacker’s identity.
However, the Twitter user with the handle @eratos1122 subsequently denied taking part in the attack, and requested an apology from Delong. In addition, this profile links to a different GitHub account, not the AristoK3 account that Delong identified as belonging to the hacker. At 9:45 am Eastern Time, on Friday September 18th, Delong announced that all stolen funds had been returned. No explanation was given for the funds’ return.
Questionable third-party security by SushiSwap
This isn’t the first instance of theft SushiSwap has faced. On January 28th, 2021, a system flaw on the SushiSwap protocol was exploited, with a hacker stealing 81 ETH at the time. There was another close call in August when a group of whitehat hackers uncovered a weakness that could have cost the platform 109,000 ETH.
On a broader scale, DeFi networks are increasingly suffering attacks, whether white hat ones like the Poly Network hack we highlighted previously, or black hat ones like this incident. SushiSwap was undoubtedly lucky in this incident, but DeFi investors need to take protective measures.
A decentralized marketplace solution like Insured Finance offers cryptocurrency users versatile protection options that suit their specific holdings. Users on the marketplace can secure tailored insurance on their specific portfolio. In the case of the SushiSwap exploit, those with insurance would have been eligible for compensation.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Insured Finance users can request customized insurance on a wide variety of digital assets. Those that fulfill requests earn premiums and can earn a competitive return on their capital. Claims are fully collateralized and settled instantly.