A non-fungible token (NFT) auction on the MISO token launchpad built on SushiSwap appears to have been exploited, with the attacker making off with roughly $3 million in ether, SushiSwap CTO Joseph Delong tweeted Thursday.
-
Delong said that an anonymous contractor using the Github handle “AristoK3″ injected malicious code into Miso’s front-end in a supply chain attack. He added the link to an Ethereum address showing ETH 864.8 transferred at approximately 16:00 UTC on Thursday.
-
Etherscan has identified the address as part of an exploit.
-
Supply chain attacks happen when a malicious actor changes a contract address to one they control. This type of attack can occur with open-source software libraries, according to the U.S. National Counterintelligence and Security Center.
-
Only one contract appears to have been exploited, according to the CTO, for the JayPegsAutoMart NFT sale.
-
The attacker, who has done work with DeFi protocol yearn.finance, replaced the auction’s wallet address with their own, Delong said.
-
The CTO said the team “has reason to believe” the attacker was eratos1122, linking to a Twitter account that identifies as a blockchain and mobile games developer.
-
SushiSwap has asked FTX and Binance, to hand over the hacker’s know-your-customer information of the individual.
-
CoinDesk has not been able to independently verify the attacker’s identity as of press time.
-
If the funds are not returned by 12:00 UTC, the DeFi exchange will file a complaint with the FBI, Delong said.