SUSHISWAP

DESCRIPTION OF EVENTS

"Jay Pegs Auto Mart is a subsidiary of NGMI.Global, a group of creative crypto developers and entrepreneurs who have found a love for artistic hijinks and reliable used cars. The Auto Mart set up a sale of DONA tokens on SushiSwap’s new token sale platform, Miso, in order to do a fair sale of 9,800 ERC-20 tokens that are redeemable for NFTs of 2007 Kia Sedonas. Interested buyers will also have the option to redeem their NFT for an actual 2007 Kia Sedona."

“Our goal is to bring affordable vehicles to the masses, one that’s unparalleled in reliability and is something that you can really get your family into and pass on through the generations,” BasedMoneyGod (BMG) said.

"The drop, “Jay Pegs Auto Mart,” distributed DONA tokens redeemable for Kia Sedona-styled NFTs. The drop has a cult following driven by the developers pretending to be used-car dealers – an elaborate performance laced with tongue-in-cheek, Midwestern flavor."

"They chose to sell an ERC-20 first over Miso, another member of the team, basedghoul, explained, for fairness. “We wanted to do a fair launch of the NFT. Everybody gets the same price and there’s no gas wars,” basedghoul said."

"Until now, Eratos1122 had earned a decent reputation in the space, and his Github shows a lot of experience."

"Sushi has a culture of building community-driven teams. We have a large, dedicated community contractors team. While we are humbled by our community of contractors, on Friday, September 17, Miso suffered a supply chain exploit, whereupon the fund wallet address was fixed to 0x3dDD8b6D092df917473680d6C41F80F708C45395 for ETH and WETH auctions. Upon finalization of the JayPegs auction, 865 ETH was transferred to the exploit address as the parameters were unrealized." "SushiSwap Chief Technology Officer Joseph Delong revealed that the 864.8 ETH ($2.93 million) proceeds from an NFT drop on the Miso auction platform had been stolen in an exploit."

"A blue-chip rekt by a front-end attack. Remind us, which part of crypto is supposed to be “trustless”? Misplaced faith (temporarily) cost MISO $3.1 million." "The attacker managed to walk away with the entire proceeds of the DONA sale, 864.8 ETH, or roughly $3.1M at the time of the heist."

“All of the sudden we realized we didn’t know where the funds were. The funds went to this random wallet,” BMG said. “There was a good two hours where we weren’t sure what the hell happened”

"A developer who had been contracted to work on the MISO auction for “JayPegs Automart” inserted his own wallet address into the contract instead of the auctionWallet."

"The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122."

"Sales Guy #2 noted that the attack was planned and implemented well before the launch of the sale and that NGMI “only realized we were f**ked” after the sale concluded."

"Given that the exploit could have applied to any Miso sale, it is unclear why Eratos chose the DONA drop. Miso has hosted sales worth upward of $350 million."

"It took the team at Jay Pegs Auto Mart basically zero time to identify and find the hacker responsible for stealing the proceeds from their auction of DONA tokens on SushiSwap’s MISO platform."

"Sushi team representatives told CoinDesk in a statement that while a forthcoming incident report found that “Eratos had a first degree funding relation to the exploit address” and that “Eratos purportedly held a lead position over this separate actor,” there is no definitive proof that Eratos and the attacker were the same entity."

"Sushi reached out to the commit author, MISO users, and institutions associated with or that have interacted with the address to seek rectification." "The funds were returned on Friday morning after negotiations with the exploiter, a developer who works under the pseudonym “Eratos.”" "The full funds were returned to the operational multisig after a period of discussion in quantities of 100 ETH, 700 ETH, and 65 ETH."

"In the end, however, a cult non-fungible token (NFT) project has prevailed, having not just retrieved the stolen funds but also firmly establishing itself in the limelight in a space that’s often short on mindshare."

Jay Peg's Auto Mart included an NFT collection sold through the Sushiswap MISO platform. At the last minute, the contract was modified to send funds to the account of a developer. It took a while to detect the issue, and the developer initially denied what had happened, however they quickly came around to repaying the funds. There were no losses in this case, as the NFTs were delivered and the collected funds were ultimately recovered.

Rekt - JayPegs Automart - REKT (Sep 28)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
$3M Was Stolen, but the Real Steal Is These Kia Sedonas, Say Anonymous Developers (Oct 2)
SushiSwap (Oct 20)
DeFi Platform SushiSwap (SUSHI) Unveils Roadmap for 2021 | BTCMANAGER (Oct 20)
JAY PEGS AUTO MART (Oct 20)
@jaypegsautomart Twitter (Nov 7)
Inside the Hunt for the Jay Pegs Auto Mart Thief and 865 ETH - The Defiant (Nov 7)
@jemenger Twitter (Nov 7)
HackMD - Collaborative Markdown Knowledge Base (Nov 7)
@sbetamc Twitter (Nov 7)
@bantg Twitter (Nov 7)
@josephdelong Twitter (Nov 7)
Comprehensive List of DeFi Hacks & Exploits - CryptoSec (Jan 8)
@josephdelong Twitter (Jan 8)

More case studies

NowSwap Protocol
Logic Error

PNetwork Faulty
TX Processing