Key Takeaways
- Samzcsun of Paradigm.xyz recently detected a $350 million vulnerability in SushiSwap’s MISO smart contracts.
- The vulnerability caused one of SushiSwap’s contracts to issue a refund without cancelling the relevant transaction.
- The bug was fixed before it was revealed or exploited.
A SushiSwap bug that put over $350 million of Ethereum at risk has been safely patched, according to security researcher samzcsun.
Vulnerability Could Have Drained Contracts
The security flaw concerns SushiSwap’s MISO platform. Developers can use MISO to launch new tokens, similar to an ICO.
In a blog post on Paradigm.xyz, samzcsun said that he happened upon a discussion about a raise on the platform. From there, he decided to inspect the project’s code on Etherscan.
Samzcsun noticed a flaw in one of MISO’s batching libraries. Essentially, this vulnerability mishandled failed transactions. Rather than rejecting a transaction that went above an auction’s hard cap, the contract refunded the transaction to the user.
This could have allowed an attacker to drain funds from SushiSwap up to the hard cap of each auction. Samzcsun wrote:
Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.
Samzcsun compared this vulnerability to one that led to a hack on the DeFi options trading platform Opyn last year. In that attack, hackers got away with $371,000 of USDC.
Bug Was Patched In Five Hours
Samzcun and the SushiSwap team attempted to patch the bug by purchasing the allocated funds with a flash loan, finalizing the auction, and then repaying the flash loan with funds from the auction.
The plan was made more complicated by the fact that there was a concurrent batch auction that did not work in the same way and was not vulnerable to the exploit. This auction was much smaller, with only $8 million at stake, so the team decided to go through with the fix to rescue the $350 million in the at-risk auction.
“Even if someone was tipped off by our forced halting of the Dutch auction and found the bug in the batch auction, we would still save the majority of the money,” Samzcsun noted.
The team found a way to pause the batch auction, then proceeded to recover the funds from the at-risk auction. Samzcun noted that it took only five hours to rescue the funds.
Today’s announcement comes just days after a $600 million attack on the Poly Network, another high-profile DeFi platform. The two vulnerabilities were not related.
Disclaimer: At the time of writing this author held less than $75 of Bitcoin, Ethereum, and altcoins.
