SushiSwap vulnerability hacked for $15,000, core team: attacker has returned, users do not need to bear losses
The DeFi token exchange platform SushiSwap suffered a loss of nearly $15,000 last night due to a vulnerability in its smart contract. The development team responded promptly, with core member 0xMaki collaborating with developers to fix the issue. The updated code will undergo another review by the blockchain security firm Peckshield.
Table of Contents
Sushibar Vulnerabilities Abound
In fact, 0xMaki had previously noticed some slight anomalies on the platform, but as of yesterday, these transactions suddenly evolved into industrial-scale automated trades, extracting around $15,000 from Sushibar's 0.05% fee. While 0xMaki was addressing the issue, netizen JuanSnow discovered the transaction message where 0xMaki attempted to contact the attacker, and the matter only came to light after it was tweeted.
After discovering the vulnerability late at night, 0xMaki immediately contacted yEarn developer Andy and former Coinbase smart contract engineer Daniel Que for assistance. After four hours, they clarified how the attacker exploited the vulnerability and proceeded to fix it. Andy noted:
The attacker deployed packaged liquidity tokens (LP-xSushi) to a new pool, enabling them to extract tokens from fee rewards with "odd logic."
0xMaki also thanked the two developers on Twitter for their assistance and emphasized the safety of LP-xSushi holders,
Post-Mortem when I wake up, exploiter got around 10-15k so far from the 0.05% fees cut of Sushiswap.
LP – xSushi holders are safe!
It is a fascinating one thanks @andy8052 @danielque & sushi core devs for the quick reaction and help.
More soon! https://t.co/QmhNMTP28L
— 0xMaki ⌐◨-◨ (@0xMaki) November 29, 2020
This morning, 0xMaki received a response from the attacker, who saw 0xMaki's attempt to contact them and stated:
I thought I found a clever way to earn some LP tokens from an old contract; I had no idea what the contract was for or that it was a bug. I am very sorry for this.
It is understood that the attacker is not required to return the funds, and the lost funds will be classified as a bug bounty. 0xMaki emphasized that no users will bear any losses, as the funds were originally rewards for LP token xSushi holders, and an equivalent amount of Sushi tokens will be provided by the official team and distributed proportionally to users.
Sushi Shows Signs of Recovery
After the end of the DeFi mining craze, DeFi tokens experienced a significant drop, with the previously high rates no longer in sight. However, with the recent surge in Bitcoin prices, the market has seen a recovery, and Sushi was not affected by the recent vulnerability incident. Its price rose from $1.04 on the 26th to $1.53 at the time of writing, with a 24-hour increase of 10.34%.
Previously, the end of Uniswap's Genesis Mining brought positive news for SushiSwap's liquidity, surpassing $1 billion at one point but currently standing at $705 million. Even more intriguing is Uniswap, which still has $1.69 billion in liquidity without mining rewards, five times more than during the rewardless period, with the second mining proposal still under voting.