SushiSwap’s MISO platform suffers $3M exploit, CTO threatens to involve FBI
Decentralized finance protocol SushiSwap has suffered an exploit on its token platform (MISO). The attacker made away with 864.8 ETH, currently worth $3 million.
The incident was first revealed to the public by the Chief Technology Officer of SushiSwap Joseph Delong, who tweeted:
The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
864.8 ETH was stolen, address belowhttps://t.co/cDZeBqFV4P
MISO is a suite of open-source smart contracts built to simplify the process of launching a new project on the SushiSwap exchange. According to Delong, the attacker whose GitHub handle is AristoK3 changed the contract address to one of his own and injected the platform’s front end with malicious code.
The only exploited auction was the @JayPegsAutoMart auction. The attacker inserted their own wallet address to replace the auctionWallet at the auction creation.
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
Effected auctions have all been patched.
The CTO added that only one contract address for an NFT auction was exploited, an automobile-themed Jay Pegs Auto Mart, and it has already been patched.
Interestingly, this isn’t the first time MISO has been exploited. A white-hat hacker and security researcher with venture capital firm Paradigm save SushiSwap from a potential $350 million exploit on the MISO Dutch auction contract a month ago.
There are speculations that Twitter user @eratos1122, who previously worked with Yearn.Finance could be behind the hack.
The CTO is finding it difficult to get exchanges like Binance and FTX to cooperate. He noted, “we have asked @FTX_Official and @Binance to turn over the attacker’s KYC information, but they have resisted on this time-sensitive matter.”
The exec also issued a warning, threatening that if the stolen funds are not returned by 8 am Eastern Time on Friday, the firm will file a complaint with the FBI.