$350 Million SushiSwap Vulnerability Safely Patched

Key Takeaways

  • Samzcsun of Paradigm.xyz recently detected a $350 million vulnerability in SushiSwap’s MISO smart contracts.
  • The vulnerability caused one of SushiSwap’s contracts to issue a refund without cancelling the relevant transaction.
  • The bug was fixed before it was revealed or exploited.

A SushiSwap bug that put over $350 million of Ethereum at risk has been safely patched, according to security researcher samzcsun.

Vulnerability Could Have Drained Contracts

The security flaw concerns SushiSwap’s MISO platform. Developers can use MISO to launch new tokens, similar to an ICO.

In a blog post on Paradigm.xyz, samzcsun said that he happened upon a discussion about a raise on the platform. From there, he decided to inspect the project’s code on Etherscan.

Samzcsun noticed a flaw in one of MISO’s batching libraries. Essentially, this vulnerability mishandled failed transactions. Rather than rejecting a transaction that went above an auction’s hard cap, the contract refunded the transaction to the user.



This could have allowed an attacker to drain funds from SushiSwap up to the hard cap of each auction. Samzcsun wrote:

Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.

Samzcsun compared this vulnerability to one that led to a hack on the DeFi options trading platform Opyn last year. In that attack, hackers got away with $371,000 of USDC.

Bug Was Patched In Five Hours

Samzcun and the SushiSwap team attempted to patch the bug by purchasing the allocated funds with a flash loan, finalizing the auction, and then repaying the flash loan with funds from the auction.


The plan was made more complicated by the fact that there was a concurrent batch auction that did not work in the same way and was not vulnerable to the exploit. This auction was much smaller, with only $8 million at stake, so the team decided to go through with the fix to rescue the $350 million in the at-risk auction.

“Even if someone was tipped off by our forced halting of the Dutch auction and found the bug in the batch auction, we would still save the majority of the money,” Samzcsun noted.

The team found a way to pause the batch auction, then proceeded to recover the funds from the at-risk auction. Samzcun noted that it took only five hours to rescue the funds.

Today’s announcement comes just days after a $600 million attack on the Poly Network, another high-profile DeFi platform. The two vulnerabilities were not related.

Disclaimer: At the time of writing this author held less than $75 of Bitcoin, Ethereum, and altcoins.


The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: Read Full Article