Nexo

We’re Giving out 10 BTC in Rewards until the Bitcoin Halving

Learn More
Home » News » Sushi’s Initial Offering Launchpad Suffers $3M Exploit

Sushi's Initial Offering Launchpad Suffers $3M Exploit

by

The MISO launchpad suffered a so-called supply chain attack that saw a hacker change a contract address to one they control.

Sushi's Initial Offering Launchpad Suffers $3M Exploit
Shutterstock cover by Evgeny Karandaev

Key Takeaways

  • SushiSwap’s MISO token launchpad has suffered a $3 million supply chain attack.
  • Sushi has identified a suspect based on the transaction history of addresses linked to the attacker's.
  • The project has instructed their lawyer to file a complaint with the FBI if the funds aren’t returned by 12:00 UTC.

Share this article

Sushi’s token launchpad MISO has suffered a supply chain attack. The malicious actor changed a smart contract address to one they control, draining $3 million worth of Ethereum. 

Sushi Launchpad MISO Suffers $3M Attack

Sushi’s MISO launchpad has suffered an exploit.

The attacker drained $3 million worth of Ethereum from the Jay Pegs Auto Mart token auction contract on the launchpad, the project’s CTO Joseph Delong announced on Twitter early Friday. 

The attacker switched a contract address on the launchpad with one they control then drained it of 864.8 Ethereum.

MISO is a permissionless token launchpad that forms part of Sushi’s popular DeFi platform. It’s built on the project’s flagship offering, the decentralized exchange SushiSwap, and allows DeFi protocols to bootstrap their projects through crowd, batch, and Dutch auction sales. 

According to Delong, only one auction contract has been exploited, while all other infected auctions have been patched. 

https://twitter.com/josephdelong/status/1438712356352274433

Delong said that Sushi “has reasons to believe” that the attacker was eratos1122, a pseudonymous developer who’s previously worked with the yield aggregator Yearn.Finance “and has approached many other projects.” 

Delong shared an Etherscan link to the wallet containing the stolen 864.8 ETH, as well as a document showing a paper trail of transactions linked to the hacker’s original address. Although the address had made only one transaction prior to the hack, the transaction history Sushi has gathered shows that other addresses one to three times removed from the address have been funded by Binance and FTX. 

The document also lists the names, contact details, social media accounts, and screenshots of social media interactions of the suspect and individuals that have interacted with him based on the transaction history. Interestingly, the document indicates that the suspect, Sava Grujic, has also worked on projects for MISO this year. Delong posted an ultimatum alongside the document, asserting that Sushi’s lawyer would report the case to the FBI if the funds aren’t returned by 12:00 UTC.

Delong also said that Sushi had contacted Binance and the FTX exchanges to turn over the attacker’s personal information. Binance responded to Delong’s post, confirming that it was “investigating the incident” and requesting more information. 

After gaining roughly 20% in value on Thursday, SUSHI dropped roughly 8% on the news, dipping from $16 to $14 dollars.

Update: Since publishing this article, the attacker has returned the stolen funds and a little more, sending back a total of 865 ETH, 0.2 ETH more than the amount taken.

Disclosure: At the time time of writing this feature, the author held SUSHI.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.