Joseph Delong, chief technology officer of decentralized finance (DeFi) platform SushiSwap, announced that a hacker compromised the supply chain of its token launchpad platform, MISO.
According to Delong, the “anonymous contractor with the GH handle AristoK3 injected malicious code into the Miso front end,” replacing the auction wallet address with their own and subsequently acquiring 865 Ether (ETH), valued at $3 million. This data can be verified via EtherScan.
The hacker exploited the single target of the Jay Pegs Auto Mart token auction, a parody NFT project imitating the value of a 2007 Kia Sedona.
On what he called the “hardest day of my life so far,” the former senior software engineer at ConsenSys claimed to have gained little support from leading crypto exchanges FTX and Binance in his pursuit of the funds.
The attacker(s) has done work with @Yearn and has approached many other projects. I urge you to check your own front ends for exploits.
— Joseph Delong (@josephdelong) September 17, 2021
Delong publicly expressed his suspicions of the hacker’s identity as blockchain and web developer Eratos. The individual hasn’t yet responded to the accusations.
Just last month, a white hat security programmer miraculously saved the SushiSwap protocol from a potentially disastrous $350-million hack, again through its token launchpad platform, MISO, after discovering a severe vulnerability within the auction contract of the BitDAO token sale.
Fortunately, the exploit wasn’t discovered by loitering hackers, and the sale continued without disturbance. Despite this, the event did showcase — as the white hat described — the “obvious misstep” taken by the team’s security operation.
The DeFi platform announced its highly anticipated “7/20” project update in July this year, revealing the future launch of a new automated market maker called Trident designed to become the most capital-efficient on the market.