Potential ~S$786M SushiSwap DeFi Hack Foiled: What Crypto Investors Need to Know About DeFi Risk

While we were going about our life this past week, something incredible happened in the world of decentralised finance (DeFi).

White hat hackers discovered a vulnerability on SushiSwap’s Minimal Initial Swap Offering (MISO) token launchpad platform.

FYI: A white-hat hacker is an ethical computer hacker or a computer security expert who proactively find vulnerabilities in software to fix them before they can be exploited by malicious hackers.

Thankfully the vulnerability was patched as if it was exploited 190,000 ETH (worth ~S$786 million according to CoinGecko at the time of writing) could have been potentially stolen by malicious hackers.

Here is a recount of the incident and an explainer on how safe DeFi protocols are.

TL;DR: How a Potential SushiSwap Hack Was Prevented

• SushiSwap is a decentralised exchange (DEX) built on the Ethereum blockchain.
• If not for the work of white-hat hackers lead by samczsun, S$786 million could have been potentially stolen from SushiSwap’s Minimal Initial Swap Offering (MISO) platform due to a smart contract software vulnerability.
• Thankfully, the vulnerability was patched and the money was not stolen.
• But, there are risks associated with DeFi protocols you should be aware of.

Disclaimer: The information provided by Seedly serves as an educational piece and is not intended to be personalised investment advice. Seedly does not recommend that any cryptocurrency should be bought, sold, or held by you.​ Readers should always do their own due diligence and consider their financial goals before investing in any investment product and consult your financial advisor before making any investment decisions.

What is SushiSwap?

But first some context.

SushiSwap is a decentralised exchange (DEX) built on the Ethereum blockchain.

But what is a DEX you might ask?

Well a DEX is essentially a peer to peer exchange platform that facilitates cryptocurrency trades between buyers and sellers. In comparison to centralised exchanges (CEXs), DEXs are not centrally controlled. Instead, DEXs employ smart contracts that are programmed to process transactions automatically when certain set conditions are met. Basically, these smart contracts function as automated market makers that use liquidity pools to allow users to swap cryptocurrencies in a permissionless manner. DEXs are also non-custodial, which means that you get to hold on to your own blockchain wallets when trading on a DEX. These liquidity pools are provided by users who lock up their coins in smart contracts that can be traded by buyers and sellers on the exchange.

SushiSwap was launched back in August 2020 as a DeFi protocol and hard fork of UniSwap V2.

SushiSwap has quite a controversial history as the developers used underhanded methods to try and bring down UniSwap.

According to CoinMarketCap, SushiSwap is currently the fifth-largest DEX in the world based on trading volumes and market share of DeFi markets.

The DEX is known for its many innovative features like SushiSwap’s MISO Launchpad Platform.

SushiSwap MISO Launchpad Platform

So here is how MISO works.

Think of it like a Shopify Inc (NYSE: SHOP) but for cryptocurrency tokens.

If you are looking to build a DeFi protocol but are not too good at coding, you can use MISO to help bring your vision for a cryptocurrency token to life.

The launchpad platform is a complete solution as it helps you create a token from start to launch.

• TokenFactory — A Factory to create tokens for projects; fixed supply, mintable, Sushi token.
• Fermentation — Vaulting/escrow options for locking up tokens over time
• Market — Contracts for initial token offerings; Fixed price crowdsale, batch auctions (also known as an IBCO), and Dutch auctions.
• Farm — Fresh tokens can be farmed for rewards by users
• Launcher — Easy liquidity migrations; set a portion of raised funds to create a new SushiSwap pool to migrate trustlessly and launch them on the SushiSwap exchange.

In addition, the smart contracts provided are audited by the SushiSwap team so there’s that assurance from the team.

But pay special attention to the Market feature.

How Was This Vulnerability Discovered And Patched?

So is here what happened.

Our hero of the story so to speak is the research partner at San Fransico based venture capital firm Paradigm who goes by the pseudonym samczsun.

To put together this recount, I looked at the postmortem from the SushiSwap team published on 16 Aug 2021 and a blog post from samczsun published on 17 Aug 2021.

A few days ago, samczusn was casually discussing a new BitDAO token sale on SushiSwap’s MISO platform with his peers.

This time around the folks from DeFi protocol BitDao were conducting a Dutch auction on SushiSwap’s MISO platform.

FYI: According to the Corporate Finance Institute, a Dutch auction is a price discovery process in which the auctioneer starts with the highest asking price and lowers it until it reaches a price level where the bids received will cover the entire offer quantity. Once the auction is completed, bids that were unsuccessful would be refunded to the users.

The Dutch auction piqued samczsun’s interest and he opened up the BitDAO MISO Dutch auction’s contract on Etherscan to find out more.

He then discovered a vulnerability in the smart contract where some of the functions were missing access controls.

The SushiSwap team also identified the vulnerability where a hacker could batch multiple calls and reuse the same Ether (ETH) to ‘bid in the auction for free.’

If this vulnerability was exploited, the entire supply of 190,000 ETH (worth ~S$786 million) locked in the token auction contract could be drained out by hackers.

Samczun managed to exploit the vulnerability in a test hack. He then roped in his colleagues Georgios Konstantopoulos and Dan Robinson to verify the exploit.

Samczun then contacted SushiSwap CTO Joseph Delong with the details of the exploit before malicious actors could exploit this vulnerability.

The BitDAO team immediately went ahead to stop the auction manually by bidding for the remaining allocation to complete the auction and salvage the funds.

Thankfully the BitDAO auction went smoothly with the BitDAO team confirming on Twitter yesterday (17 Aug 2021) that 112,000 ETH (worth about S$463.5 million at the time of writing) was successfully raised.

How Safe Are DeFi Protocols?

This near-miss comes hot on the heels of last week’s Poly Network hack where the hacker or group of hackers stole US$600 million (~$816 million) worth of cryptocurrencies from the DeFi protocol.

This heist, which is the biggest cryptocurrency heists of all time is not uncommon in the world of DeFi or traditional financial institutions.

Even samczusn, the white hat hacker who exposed the SushiSwap Miso vulnerability had this to say about vulnerabilities in software:

A common misconception in building software is that if every component in a system is individually verified to be safe, the system itself is also safe.

Nowhere is this belief better illustrated than in DeFi, where composability is second nature to developers.

Unfortunately, while composing two components might be safe most of the time, it only takes one vulnerability to cause serious financial damage to hundreds if not thousands of innocent users.

We should be listening to him as according to his CoinTelegraph profile, samczun was incredibly prolific in 2020 as he:

found and privately disclosed critical vulnerabilities in Curve Finance, the Ethereum Name Service, Synthetix, Kyber Network, Nexus Mutual, Hegic Options, Aragon, Atomic Loans, Yearn.finance, Incognito and a few others.
Each of those bugs could have resulted in hundreds of thousands of dollars in losses, but thanks to his work, the teams were able to patch those issues up before malicious actors could exploit them.

I’m not saying that this does not happen to banks.

But unlike traditional banks or financial institutions which have more insurance and are more regulated, the world of DeFi is still the wild west in comparison.

If a hack or something like the Iron Finance DeFi protocol bank run happens, there is little recourse for consumers.

Thus, we would urge you to conduct thorough due diligence before you put your money into DeFi protocols and invest only what you can afford to lose.

Closing Thoughts

I hope the article didn’t scare you off completely.

The cryptocurrency industry is still in its infancy and will have teething problems as it grows.

But we are still excited about the promise it brings.

As such, we have partnered with SingSaver and American Express to launch this super exclusive Bitcoin campaign for the first time ever in Singapore.

You will receive up to S$365 worth of Bitcoin when you successfully apply for a credit card. This offer is ONLY available on Seedly & SingSaver. You will not find it anywhere else.

These rewards will be given out from now until 7 November 2021 OR until S$1 million worth of Bitcoin has been claimed, whichever is earlier.

Also, the first 2,000 eligible applicants will receive an additional S$100 worth of Bitcoin so get to it!

If you were wondering, these rewards will also be given out to your Gemini account as they are our exclusive cryptocurrency wallet partner for this campaign.

How to Apply:

1. Apply for your favourite credit card.
2. Receive up to S$265 (S$265 for new customers and S$50 for existing customers) worth of Bitcoin after you fulfil the eligibility requirements.)
3. Spend S$500 on the card within the first 30 days of card approval.
4. Be one of the first 2,000 eligible applicants to receive up to an additional S$100 worth of Bitcoin.

Eligible Cards: American Express in Singapore

Here are the cards you can apply for with this campaign:

More details about the cards can be found on the landing page. And of course, terms and conditions apply.

Disclaimer: Seedly and Singsaver will never ask you for your crypto wallet address nor instruct you to transfer any crypto to us throughout any of the campaigns.