SushiSwap’s CTO says the company’s MISO platform has been hit by an attack on the software supply chain. SushiSwap is a community driven program decentralized finance (DeFi) platform that allows users to trade, earn, lend, borrow, and leverage cryptocurrency assets, all from one place. thrown out at the beginning of this yearSushi’s latest offering, Minimal Initial SushiSwap Offer (MISO), is a token launch pad that allows projects to launch their own tokens on the Sushi network.
Unlike cryptocurrency currencies that need a native blockchain and substantial foundation, DeFi tokens are an easier alternative to implement as they can work on an existing blockchain. For example, anyone can create their own “digital tokens” on top of the Ethereum blockchain without having to recreate a new cryptocurrency entirely.
Attacker Steals $ 3 Million In Ethereum Via GitHub Pledge
In a Twitter thread today, SushiSwap’s CTO Joseph Delong announced that an auction on the MISO launch pad had been hijacked via a supply chain attack. An “anonymous contractor” with the GitHub identifier AristoK3 and access to the project’s code repository had prompted a commit of malicious code that was distributed on the front-end of the platform.
A software supply chain attack occurs when an attacker interferes with or hijacks the software manufacturing process to insert its malicious code so that large numbers of consumers of the finished product are adversely affected by the attacker’s actions. This can happen when code libraries or individual components used in a software build are contaminated, when software update binaries are “Trojans”, when code signing certificates are stolen, or even when a server providing it is breached. software as a service. Thus, compared to an isolated security breach, successful supply chain attacks produce much more widespread impact and damage.
In the MISO case, Delong says that “the attacker inserted his own wallet address to replace the auction in the creation of the auction “:
The miso interface has become the victim of a supply chain attack. An anonymous contractor with the GH AristoK3 driver injected malicious code into the Miso interface. We have reason to believe that this is @ eratos1122.
864.8 ETH was stolen, address belowhttps://t.co/cDZeBqFV4P
– Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
Through this exploit, the attacker was able to funnel 864.8 Ethereum coins, around $ 3 million, into his wallet.
So far only one car market auction (1, 2) has been exploited on the platform, according to Delong, and all affected auctions have been patched. The final amount of the auction is aligned with the number of Ethereum coins stolen.
Enlarge / Stolen funds from Auto Mart auction on SushiSwap’s MISO platform
SushiSwap has requested the attacker’s Know Your Customer records from cryptocurrency exchanges Binance and FTX in an effort to identify the attacker. Binance said publicly who is investigating the incident and offered to work with SushiSwap.
“Assuming the funds are not returned by 8:00 ET. We have instructed our attorney [Stephen Palley] to file an IC3 complaint with the FBI, “Delong said.
Ars has seen the balance of the attacker’s wallet release during the last few hours, indicating that the funds are changing hands. Recent Transactions (1, 2) show the “Miso Front End Exploiter” returning the stolen coin to SushiSwap in the company’s group called “Multisig operation. “
It is rare for attackers and cybercriminals to return stolen funds to their rightful owner for fear of repercussions from the police, as we saw in the $ 600 million Poly Network heist.
But how did the attacker get access to GitHub?
According to SushiSwap, rogue contractor AristoK3 pushed the confirmation of malicious code 46da2b4420b34dfba894e4634273ea68039836f1 to the repository “miso-studio” of Sushi. Since the repository appears to be private, GitHub is throwing a 404 “not found” error to those who are not authorized to view the repository. So how did the “anonymous contractor” get access to the project repository in the first place? Surely there must be a research process somewhere on SushiSwap?
Although anyone can offer to contribute to a public GitHub repository, only certain people can access or contribute to the private ones. And even then, ideally, confirmations are verified and approved by trusted members of the project.
Cryptocurrency enthusiast Martin Krung, creator of “vampire attack, “wondered if the attacker’s pull request was properly reviewed before being merged with the codebase, and received feedback from previous SushiSwap contributors:
I have seen PR with over 40 modified files that were instantly approved. There is no code property.
– adamazad.eth (@adamzazad) September 17, 2021
A rough analysis compiled by SushiSwap attempts to track down attackers and references multiple digital identities. SushiSwap believes that GitHub user AristoK3 is associated with Twitter identifier eratos1122, although the latter’s answer is not conclusive. “This is really crazy … Please delete it and say ‘sorry’ to everyone … If not, I will share the entire MISO project [sic] that I have (you know very well what I have worked on in the MISO project), ” answered eratos1122.
Because some of the digital identities mentioned in the analysis remain unverified, Ars refrains from mentioning them until more information is available. We have reached out to Delong and the alleged attackers for more information. We are waiting for your responses.