Exec issues FBI warning as SushiSwap’s MISO suffers $3M exploit
Decentralized finance [DeFi] project SushiSwap suffered an exploit on its token platform – MISO. The attack resulted in the hacker stealing 864.8 ETH, currently worth $3 million.
The incident was first brought to light by Chief Technology Officer Joseph Delong who tweeted,
The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.
864.8 ETH was stolen, address belowhttps://t.co/cDZeBqFV4P
— Joseph ? Delong ? (@josephdelong) September 17, 2021
As an important project in the DeFi ecosystem, this supply chain attack could have far-reaching consequences. MISO is a suite of open-source smart contracts created to ease the process of launching a new project on the SushiSwap exchange.
According to the CTO, the attacker, going by the GitHub handle AristoK3, changed the contract address to one of his own and injected the platform’s front end with malicious code.
The only exploited auction was the @JayPegsAutoMart auction. The attacker inserted their own wallet address to replace the auctionWallet at the auction creation.
Effected auctions have all been patched.
— Joseph ? Delong ? (@josephdelong) September 17, 2021
The exec went on to say that only one contract address for an NFT auction was exploited, an automobile-themed Jay Pegs Auto Mart. However, at press time, it had already been patched.
This isn’t the first time MISO has been attacked, however. In fact, a white hat hacker once saved SushiSwap $350 million by finding “obvious” exploits.
A security researcher from the venture capital firm Paradigm, known on Twitter as Samczsun, saved SushiSwap and MISO after he identified a flaw in the MISO Dutch auction contract. In the same, some of the functions lacked access controls. Now, while this was highlighted nearly a month ago, looks like the hackers have finally found a way.
Meanwhile, speculations are rife about who might be behind the said hack. The project believes Twitter user @eratos1122, who has previously worked with Yearn.Finance, could be behind it.
The CTO, however, is facing a tough time getting exchanges like Binance and FTX to cooperate. He noted,
“We have asked @FTX_Official and @Binance to turn over the attackers KYC information, but they have resisted on this time sensitive matter.”
What’s more, the exec also issued a warning. If the stolen funds are not returned by 8 am Eastern Time on Friday, the project will file a complaint with the FBI.