· Sushi Swap’s MISO launchpad hacked
· An Auction was hijacked via a supply chain attack
· The attackers funneled 864.8 ETH, equivalent to $3 million
· Binance working with SushiSwap to investigate the theft
A software supply chain attack has attacked Sushiswap’s MISO platform. SushiSwap is a community-driven DeFi (decentralized finance). Users can swap, lend, borrow, leverage, and earn cryptocurrency assets from one platform. Sushi’s latest offering, MISO (Minimal Initial SushiSwap Offering), launched earlier this year. It is a token launchpad that allows projects to launch their own tokens on the SushiSwap network.
In a thread on Twitter today, Sushiswap’s CTO Joseph Delong said that an auction on the MISO launchpad had been hijacked through a supply chain attack. An unknown contractor on GitHub’s AristoK3 and access to its code repository pushed a malicious code commit. The code was distributed to the front end of the platform.
A software supply chain attack happens when the attacker hijacks or interferes with the software manufacturing process. They insert malicious code, causing a significant number of consumers to be affected by these actions.
This happens when individual components or code libraries are infected or trojans attack software binaries. When code-signing certificates are stolen, or SaaS (software as a service) servers are compromised, it can also occur. A supply chain attack can cause more damage than a random security breach.
In this case, Delong states that "the attacker inserted their own wallet address to replace the auctionWallet at the auction creation” The attackers funneled out 864.8 ETH coins, approximately $3 million, into their wallet. According to Delong, only an automobile mart auction was exploited, with all affected auctions already patched.
Binance announced it was working with SushiSwap to investigate the incident. "Assuming the funds aren't returned by 8a ET. We have instructed our lawyer [Stephen Palley] to file an IC3 complaint with the FBI," said Delong.