Paradigm Team Identifies 350M Smart Contract Vulnerability in SushiSwaps MISO Platform

Quick action from the good samaritan and Sushi team helps prevent massive exploitation.

Incredible Moment of Whitehat Protection

And just like that, $350 Million––109,000 Ethereum––has been saved. Samczsun reported he has helped find and resolve a massive bug in the SushiSwap MISO DutchAuction contract. 

With clever perusing and even better persistence, Sam helped suss out the bug in a whirlwind morning that saw him escalate and help resolve the issue in a matter of hours. 

Upon an initial whim, Samczsun dug deep into the Sushiswap code to discover the vulnerabilities. After a few Zoom calls and deliberation on an action plan, the Sushi team set out to resolve the issue before any automated bots could find the vulnerability.

 Samczsun notified Sushiswap, and its CTO, Joseph Delong, around 15:40 UTC, and the auction was closed by 19:00 UTC, August 17.

“Today, I’d like to tell you about how I found and helped patch a vulnerability that put over 109k ETH (~350 million USD at today’s exchange rate) at risk,” began Samczsun in his post-mortem report. The full report from Samczsun is worth the read. 

The resolution subsequently prevented the ability of a hacker to refund the entire auction value in a single transaction. It was especially troubling that the exploitative function could be activated when the auction reached maximum capacity. In the case of this particular auction, the potential exploitation was valued at $350 Million USD. 

The Community Rally

Upon hearing the news, the SushiSwap team came together quickly to prevent any exploitation. Samczsun confirmed a rapid response from Sushi and other members close to their team. 

Sushi confirmed in their own post-mortem that no funds or users activity was affected. The team merely had to close an auction early that had already reached its maximum. 

SushiSwap has requested assistance from Immunefi to assess their code and advise any response.

It is also a welcoming sign to see the excellent behavior of Samczsun as well. The resolution likely prevented one of the largest crypto hacks in history. According to his bio, he is a Research Partner focused on Paradigm’s portfolio companies. His research focuses on security and related topics.

“Even though there was no monetary damage, I’m sure that everyone involved would have much preferred to not have gone through this process in the first place,” he wrote in his response. 

Like Batman out of the night, Samczsun is the hero we may not deserve. 

Source :

Leave a Reply

Your email address will not be published. Required fields are marked *