Super Sushi Samurai Minting Exploit
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Super Sushi Samurai (SSS) offers a complete on-chain experience, allowing players to own a piece of the game, collect player tax and game store revenue, and participate in daily and growth quests to unlock exclusive NFT legend skins. Set in the chaotic period of Mizu-Edo, players assume the role of a Sushi Samurai in the Rice Kingdom, embarking on a journey to protect their land and improve their skills through battles. However, the game faced an exploit shortly after its launch on the Blast L2 network, resulting in a significant loss of funds. Despite this setback, the team is investigating and working on reimbursing affected users with the help of a white hat hacker, who reportedly did the hack to rescue the majority of the funds.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About Super Sushi Samurai
"SSS is a complete on-chain experience"
"-Own a piece of the game -Collect player tax and game store revenue" "-Daily Quest and Growth Quest -Reward: unlock a Secret Sushi Scroll for a shot at an exclusive NFT Legend Skin" "-Obtain SSS rewards for playing" "-Fair-launched game token -Gameplay uses and burns SSS"
"It is the period of Mizu-Edo, a chaotic time where various types of Food battle for supremacy and culture.
You play as a Samurai born in the Rice Kingdom. Your family lineage comprises of multiple generations of highly regarded Sushi Samurai."
"You begin your journey as a Novice Samurai, trained in Rice-Fu. You took an oath to protect the Rice Kingdom against foreign invaders.
As you roam the lands of the Rice Kingdom and experience more battles, your strength and skills improve.
Your loyal sidekick condiment will always be in battle by your side, growing together with you and helping to collect the spoils of battle."
"Compete in seasonal clan wars, level up for leaderboard dominance, and win exclusive rewards. Join daily raids, summon bosses, and collaborate for rewards in fast-paced summoner-led battles. Outwit others in a strategic countdown. Be the final depositor before time expires to claim all rewards. Challenge opponents daily to withdraw tokens. Win by strategy and luck with a 60% chance for higher level Samurais. Test your luck with each flip. Set up or join matches for a chance to double your stake. It’s all about riding the waves of fate."
"Verichains was responsible for the audit and missed the exploit. They let the contract go live with an infinite mint exploit."
"The token contract has a bug where transferring your entire balance to yourself doubles it."
"Blast L2-based game Super Sushi Samurai's LP drained $4.8m in contract bug exploit shortly after its launch, and the price dropped 99.9%."
"SSS exploited on blast for ~$4.8m"
"Pausing token transfers and investigating" "We have been exploited, it's mint related. We are still looking into the code. Tokens were minted and sold into the LP."
"Hi team, this is a whitehat rescue hack. Let's work on reimbursing the users. Please reach out via Blockscan chat from the SSS deployer 0x555b28f3b8b3b8ebd1b06997c2078fd94529f555 on Ethereum mainnet."
"Hello white hat, We have reached out to you on Blockscan. Thank you for cooperating with us."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 21st, 2024 8:50:45 AM MDT | First Exploit Transaction | The first blockchain exploit transaction. |
| March 21st, 2024 8:51:33 AM MDT | Second Exploit Transaction | The second blockchain exploit transaction. |
| March 21st, 2024 8:53:01 AM MDT | Third Exploit Transaction | The third exploit transaction, which obtains 1,310.040494988573740722 wrapped ethereum. This was apparently a whitehat rescue attack. |
| March 21st, 2024 9:02:00 AM MDT | Spreek Sounds Alarm | Twitter user Spreek sounds the alarm on the exploit. |
| March 21st, 2024 9:05:00 AM MDT | Team Response | The team posts an update on Twitter that they are paushing token transfers and investigating. |
| March 21st, 2024 9:26:00 AM MDT | coffeexcoin Posts Bug | Twitter user coffeexcoin posted a summary of the exploit about doubling. |
| March 21st, 2024 9:49:27 AM MDT | Whitehack Resuce Message | The hacker responsible for the second transaction posts to indicate thrat they were attempting to rescue the funds from the smart contract. |
| March 21st, 2024 9:55:00 AM MDT | Exploiter Contact | The team announces that they are in contact with the exploiter. |
| March 21st, 2024 10:06:23 AM MDT | Blank Message In Chain | A blank message appears in the ethereum blockchain. |
| March 21st, 2024 10:13:13 AM MDT | Third Exploit Transaction | A third exploit transaction on the blockchain? |
| March 21st, 2024 12:09:00 PM MDT | Working On Safe Return | The team announces that they are working with the whitehat on the safe return of the funds. |
| March 22nd, 2024 | Postmortem and Breakdown | The team releases a postmortem and they are still working with the white hack on an arrangement. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $4,800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Super Sushi Samurai - REKT (Apr 24, 2024)
- ↑ @spreekaway Twitter (Apr 24, 2024)
- ↑ @SSS_HQ Twitter (Apr 24, 2024)
- ↑ @BartertownC Twitter (Apr 24, 2024)
- ↑ @SSS_HQ Twitter (Apr 24, 2024)
- ↑ @coffeexcoin Twitter (Apr 24, 2024)
- ↑ Blastscan Transaction Hash (Txhash) Details | BLAST (Apr 24, 2024)
- ↑ Blastscan Transaction Hash (Txhash) Details | BLAST (Apr 24, 2024)
- ↑ Blastscan Transaction Hash (Txhash) Details | BLAST (Apr 24, 2024)
- ↑ Blastscan Transaction Hash (Txhash) Details | BLAST (Apr 24, 2024)
- ↑ Blastscan Transaction Hash (Txhash) Details | BLAST (Apr 24, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Apr 24, 2024)
- ↑ @SSS_HQ Twitter (Apr 24, 2024)
- ↑ Super Sushi Samurai (Apr 24, 2024)
- ↑ https://beacons.ai/sss_hq (Apr 24, 2024)