cryptoslate.com
SushiSwap‘s token launch platform MISO suffered a supply chain attack yesterday that drained 864.8 ETH from the ‘Jay Pegs Auto Mart’ token auction contract.
The exploit was first identified by Sushi’s CTO Joseph Delong on September 17th, who tweeted out a link to the transaction that drained the funds from the protocol.
A stressful day for Sushi and MISO ends well for token holders
According to Delong, an anonymous contractor managed to inject malicious code into the MISO front end, replacing the original contract for the Jay pegs Auto Mart token auction with a personal Ethereum address. A total of 864.8 ETH has been transferred to the address, but no other auctions have been affected by the exploit.
In a series of since-deleted tweets, Delong said that Sushi had “reasons to believe” the attacker was eratos1122, a pseudonymous developer who worked with Sushi and other DeFi projects such as Yearn.Finance. He shared a document showing a trail of transactions linked to the hacker’s original address, some of which have been funded by Binance and FTX.
An ultimatum was posted alongside the document threatening the hacker with legal action if the funds weren’t promptly returned.
Just a couple of hours later, the hacker returned 865 ETH to the original MISO contract. Data from Etherscan showed that the hacker’s address was almost completely empty, with Delong himself confirming the news on Twitter.
All funds returned 🙌
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
In the hours since the funds have been returned, it still hasn’t become clear who the attacker was. Delong’s original tweets where he accused the former MISO developer have been deleted. The person he accused of theft threatened to release some of the MISO code he was working on if he didn’t receive an apology from Sushi and Delong. And while many saw this as a clear sign of his involvement with the incident, neither Sushi nor any of its founders have issued further comments on the issue.
Hey @josephdelong
This is really crazy
Plz delete it and say `sorry` to everyone
If not, I am going to share all of the MISO project that I have
(You know what I have worked on MISO project very well)— 0x A.K. (@eratos1122) September 17, 2021
Many members of the crypto community criticized Sushi and Delong for their handling of the situation. With the protocol mostly built by anonymous developers, pointing fingers and doxxing without a proper investigation has put a dent into Sushi’s reputation.
Despite funds returned, Miso incident was handled poorly imo. CTO throwing accusations and cracking doxxing jokes while Sushi was mostly built by anon contributors is not a good look. You can't control the mob once you unleash it.
— banteg (@bantg) September 17, 2021