A few days ago, SushiSwap suffered a supply chain attack on its token platform (MISO). This led to the loss of 864.8 ETH (worth about $3 million) from the ‘Jay Pegs Auto Mart’ token auction contract. Interestingly, a few hours later the hacker almost completely emptied his address (according to data from Etherscan) and returned 865 ETH to the original MISO contract.
Sushi’s CTO Joseph Delong confirmed the news on Twitter
In a series of tweets, Delong said that SushiSwap suspected that the attacker was eratos1122, a pseudonymous developer who worked with Sushi and other DeFi projects such as Yearn.Finance. He went forward to share a document showing a trail of transactions linked to the hacker’s original address, some of which have been funded by Binance and FTX.
An ultimatum was posted alongside the document threatening the hacker with the FBI and with legal action if the funds weren’t promptly returned.
Although the funds have been returned, it is still uncertain who the attacker was. Delong’s original tweets where he accused the former MISO developer have since been deleted. The accused threatened to release some of the MISO code he was working on if he didn’t receive an apology from Sushi and Delong.
Many saw this as a clear sign of his involvement with the matter. However, neither SushiSwap nor any of its founders have issued further comments on the issue.
SushiSwap and Delong have been criticized by many members of the crypto community for how they handled the situation.