A hacker saves DeFi from a new attack
A week after the Poly Network protocol suffered a $ 600 million attack (the majority of assets have since been returned), the decentralized finance (DeFi) industry could have been rocked by another massive hack.
This time, the target was MISO, a platform dedicated to the launch of new tokens and based on the decentralized exchange SushiSwap. Fortunately, this disaster was avoided thanks to the collaboration of a “white hat” (benevolent) hacker.
The case was revealed on Twitter by one of the saviors himself, a certain Samczsun, a researcher specializing in cryptocurrency for the company Paradigm.
Auditor’s logs, 16th of August. I found a critical vulnerability in SushiSwap’s MISO platformhttps: //t.co/untzdxay7q
– samczsun (@samczsun) August 17, 2021
Cybersecurity specialists Samczsun and his colleagues Georgios Konstantopoulos and Daniel Robinson contacted the SushiSwap team to alert them to “a vulnerability”. This concerned the smart contract supporting the auction of BitDAO tokens on the MISO platform.
👉 On the same subject – ChainSwap victim of a second attack in ten days – Token prices tumble
What could have happened?
The BitDAO token sale took place in the form of a “Dutche Auction”, a Dutch auction. In short, investors place bids for the maximum amount they are willing to pay. When all the bids are collected, the highest is declared the winner. Logically, unsuccessful offers are returned to their owners.
So far, nothing abnormal. However, researchers at Paradigm identified the “vulnerability” that could have been very expensive.
Indeed, this flaw gave the possibility to a hacker to make multiple calls to the commitEth function (that is to say to bid several times and for free) while reusing a single msg.value for each commitment (c ‘ that is to say that in appearance, there was only one real auction).
When reimbursing, the pirate would therefore have recovered the amount of his stake, multiplied by the number of times he had repeated the operation described above. All the funds bid by the participants would thus have been drained.
“Users could overbid and get a refund for the difference between the current bid and the amount they submitted, but the refund could be repeated to empty the auction contract,” explained Duncan Townsend, CTO at Immunefi , also recruited to help solve the problem.
Finally, thanks to the work of these benevolent hackers, the BitDAO team was able to manually end the auction before the flaw was exploited. According to their latest information, no loss is to be deplored.
The sale ultimately enabled BitDAO to raise $ 365 million. A significant sum that could certainly have been fully drained without the intervention of Paradigm and its experts.
👉 To go further – ChainSwap victim of a second attack in ten days – Token prices tumble
Receive a recap of crypto news every Sunday 👌 And that’s it.
About the Author: Lilian Aliaga
Freelance writer located between Paris and Toulouse. I want to share my passion for the world of cryptocurrencies with as many people as possible. I am also interested in technical analysis and trading.
All articles by Lilian Aliaga.