SushiSwap Attacked Again
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
SushiSwap had a complex process for adding new trading pairs to their "SushiMaker" smart contract. The process was not followed properly when adding the DIGG-WETH trading pair. As a result an attacker was able to siphon off trading fees.
It doesn't appear any user funds were lost.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]
About SushiSwap
"Sushi is a DeFi protocol that is completely community-driven, serving up delicious interest for your held crypto assets." "On Sushi, you can take advantage of passive-income providing DeFi tools such as liquidity providing, yield farming and staking. Furthermore, due to the decentralized nature of being an AMM (Automated Market Maker), Sushi has fewer hurdles to execute your cryptocurrency trades and all fees are paid to the users who provided liquidity, just as it should be!"
“… we have designed SushiSwap as the next step forward in the Uniswap protocol design. Taking Uniswap’s elegant core design, we’ve added community-oriented features that we believe help improve the design of the protocol, as well as provide further benefits to the actors involved.”
"This coin followed in the footsteps of other YFI clones with its low supply and yield farming. When it was listed on Uniswap on August 26, it started at a high of $128 before finding a bottom at $0.69. In less than a week of its launch, it had been listed on Binance peaking at $15.96. On CoinMarketCap, it hit rank 74."
"As reported Monday by CoinDesk’s Will Foxley, a pseudonymous developer who goes by “Chef Nomi” launched the SushiSwap protocol in late August, and it was quickly cast as a “vampire protocol” because its inherent design intended to siphon away liquidity from a competing trading platform, Uniswap."
"The project quickly attracted more than $1 billion of collateral with a technique known as “zombie mining,” The market value of the associated SUSHI tokens surged roughly 500-fold in a matter of days to more than $300 million."
"SushiMaker is an important component of the SushiSwap protocol. It is used to collect the handling fee of each trading pair of SushiSwap, and by setting the routing of each token, the handling fee of different trading pairs is finally converted into sushi tokens, which will give back Holder of sushi token. This process happens on the SushiMaker contract."
"On January 27, 2021, according to the SlowMist Zone intelligence, SushiSwap was attacked again." "The attacker hinged on a weak spot in the SushiSwap protocol via a smart contract component known as Sushimaker." "The problem was that the transaction fee of the DIGG-WBTC trading pair was taken away by the attacker through special means. The SlowMist security team immediately intervened in the analysis of related incidents after receiving the intelligence."
A "SushiSwap DeFi misconfiguration was exploited to manipulate the exchange price of a DIGG-WETH pair which netted an attacker 81 ETH ($100K) profit."
"According to the logic of bridgeFor, we can find that if the bridge of a specific currency has not been manually set, the default bridge is WETH, that is, if the bridge is not set, the default is to convert the handling fee to WETH. The DIGG coin just didn’t set the corresponding bridge through setBridge."
"But there is another problem here, that is, during the swap process, if the transaction pair does not exist, the exchange process will fail. In this attack, the DIGG-WETH transaction pair did not exist at the beginning, so the attacker created a DIGG-WETH transaction pair in advance, and then added a small amount of liquidity. If a commission exchange occurs at this time, according to the feature of constant product mentioned above, because DIGG-WETH has very little liquidity, that is, the upper limit of WETH in DIGG-WETH is very small, while the number of commissions to be converted in SushiMaker is relatively small. Larger, such exchange will cause huge slippage. The exchange process will increase the price of WETH to DIGG in the DIGG-WETH trading pair, and all DIGG fee income of DIGG-WETH will be transferred to the DIGG-WETH transaction. By observing the liquidity situation of the DIGG-WETH trading pair, when the liquidity is maximum, there is only less than 2800 US dollars of liquidity. This result can also be mutually verified with the derivation of the formula."
"After the attacker completes the fee conversion at SushiMaker, the price of WETH to DIGG in the DIGG-WETH transaction pair has been increased, resulting in a small amount of WETH that can be exchanged for a large amount of DIGG, and the amount of this DIGG is exactly the DIGG-WBTC transaction Most of the fee income."
“After researching further, we found that although there had been an exploit, the damage had already been contained, and what had been perceived as a threat to the entire SushiSwap protocol was simply a smart scavenger picking up food that had been left behind.”
"Although a solution had been created some weeks earlier, it had to be applied manually along with each new pool. As this had not been applied, the scavenger was able to sneak in and take fees which should have gone to xSushi holders." "When new pairs were added in Sushiswaps’ Onsen, some non-ETH pairs were added, but no "bridge" was set up in the SushiMaker for DIGG/WBTC."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| January 27th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $100,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Which policies could have prevented this event from happening?
References
- ↑ SlowMist Hacked - SlowMist Zone (May 17, 2021)
- ↑ No Title (Jul 17, 2021)
- ↑ Slow Mist Sushiswap Was Attacked For The Second Time (Jul 17, 2021)
- ↑ The Rise Fall And Rise Of Sushiswap (May 23, 2021)
- ↑ SushiSwap Falls Victim To Attack Again, And Hacker Make A Big Fat Profit - TokenPost (Jul 17, 2021)
- ↑ SushiSwap Suffers Another Attack. Hacker Steals 81 Eth - BeInCrypto (Jul 17, 2021)
- ↑ First Mover: SushiSwap's Billion-Dollar 'Rug Pull' Is Thriller to Crypto Geeks - CoinDesk (May 23, 2021)
- ↑ Sushi price, chart, market cap and info | CoinGecko (May 23, 2021)
- ↑ @SlowMist_Team Twitter (Jul 18, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jul 21, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jul 21, 2021)
- ↑ SushiSwap (Jul 21, 2021)
- ↑ [1] (Jul 21, 2021)
- ↑ Rekt - Badgers digg sushi (Jul 21, 2021)
- ↑ SotN #31: The Rise of SushiSwap with 0xMaki (Sushi vs Uniswap, Differentiation, Future of Sushi) - YouTube (Aug 9, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10, 2021)
- ↑ Replaying Ethereum Hacks - Sushiswap BadgerDAO's Digg | cmichel (Aug 10, 2021)