Sushi Patches A Vulnerability that Put Over $350 Million at Risk
DeFi bluechip Sushi team worked fast and patched a vulnerability that, if exploited, could have easily resulted in the loss of 109 ETH, worth about $350 million.
The vulnerability was found and disclosed by @Samczsun, a research partner at Paradigm, the VC firm co-founded by the Coinbase co-founder, Fred Ehrsam.
In his disclosure, Sam shared that he first discovered the vulnerability on Tuesday at 9:47 am while going through SushiSwap’s MISO platform, which operates two types of auctions Dutch auctions and batch auctions.
While the commit functions seemed to be implemented correctly and auction management functions had proper access controls, the initMarket function had no access controls, and the initAuction function it called also contained no access control checks.
San then found that inside a delegatecall, performed by mixin library BoringBatchable to easily introduce batch calls to any contract which imports it, msg.sender and msg.value persisted which meant “I should be able to batch multiple calls to commitEth and reuse my msg.value across every commitment, allowing me to bid in the auction for free,” he noted.
But on more inspection, the researcher found that vulnerability was much bigger than first expected.
“I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”
Sam then reached out to the Sushi team, and together they decided to rescue the funds by purchasing the remaining allocation and immediately finalizing the auction.
The vulnerability was patched within five hours of first discovering the bug after much discussion and maneuvering.
This week, crypto exchange Bybit’s BitDAO raised $360 million on Sushi’s launchpad MISO.
The popular decentralized finance project currently has $4.52 billion of total value locked in it (TVL), down from a $5.52 billion all-time high in May. SushiSwap accounts for the second-largest DEX market share at 12.8% recording $2 billion in weekly volume.
Its token SUSHI is currently trading at $12.73, down 45.3% from its March peak of $23.38, up 55% in the past two weeks, and 283% YTD.