Critical vulnerability found in SushiSwap put $350 million at risk

A critical vulnerability found on decentralized exchange platform SushiSwap put over $350 million at risk before it was patched by developers last night, a report this morning showed.

It was discovered by ‘samczsun,’ a pseudonymous security researcher at Paradigm, who quickly informed Sushi developers about the bug and helped mitigate any potential harm.

Auditor’s logs, 16th of August. I found a critical vulnerability in SushiSwap’s MISO platformhttps://t.co/untzdxay7q

— samczsun (@samczsun) August 17, 2021

“Today, I’d like to tell you about how I found and helped patch a vulnerability that put over 109k ETH (~350 million USD at today’s exchange rate) at risk,” samczsun wrote, adding that the exploit involved protocols that were otherwise safe and bug-free, but that their composite was not.

SushiSwap and MISO

Powered by the SUSHI token, SushiSwap is an Ethereum-based decentralized exchange that allows users to swap, earn, farm yields, and borrow cryptocurrencies. The DEX also launched the Minimal Initial Sushi Offering (MISO) program recently as part of broadening its product suite.

The BIT-ETH auction finished successfully in just a few hours with a maximum commitment size, prompting finalization and allowing the tokens to be immediately claimable.

~ 80M$ in liquidity available on @SushiSwap 🥳https://t.co/9ebAGZn2n1

— SushiChef (@SushiSwap) August 17, 2021

And what’s MISO? It’s a SushiSwap-powered protocol that allows users and developers to launch new projects and list their tokens instantly on the SushiSwap exchange. This arrangement allows SushiSwap to gain more capital and cater to even more users.

The way MISO interacts with SushiSwap is where the vulnerability was found. “The MISO platform operates two types of auctions: Dutch auctions* and batch auctions*,” wrote samczsun. The researcher then checked the code and found contract code similar to what was used by decentralized options market team Opyn, one that allowed hackers to reuse ETH sent to the contract multiple times.

“I realized that I was looking at the exact same vulnerability in a different form,” samczsun stated, adding:

“Inside a delegatecall, msg.sender and msg.value are persisted. This meant that I should be able to batch multiple calls to commitEth and reuse my msg.value across every commitment, allowing me to bid in the auction for free.”

The bug would have caused any ETH sent over the auction’s hard cap to be refunded.

Core members of the SushiSwap team were immediately notified of the vulnerability and jumped with samczsun ‘within minutes’ to fix the bug. The team finalized—from three possible solutions—this one: By writing up code to purchase the remaining allocation and immediately finalizing the auction (a step that required admin permissions).

(Footnote: Dutch auctions are a market structure wherein the price of an offered asset is determined after taking in all bids to arrive at the highest price at which the total offering can be sold, while Batch auctions refer to an accumulation of orders that are executed simultaneously.)