RektHQ's Inside Scoop On SushiSwap's Latest $15k Exploit - Decentralise #40

What happened and how 0xMaki found the likely culprit

Nov 30, 2020

If you haven’t yet followed RektHQ you’re seriously missing out.

RektHQ describe themselves as the dark web of defi journalism, allowing anonymous contributors to spill the decentralised beans.

Today they put out a conversation with lead Sushi dev 0xMaki that dives deep into the $15k exploit that occurred yesterday.

The piece follows what happened, how 0xMaki responded and who he reached out to, and how they managed to hunt down the user.

It includes screenshots of direct messages with some of the best defi developers and is a personal and insightful narration of events.

rekt @RektHQ

SushiSwap Saved - 0xMaki Speaks Out @0xMaki took on @SushiSwap after founder @NomiChef let greed get the better of him. Late last night, someone found a hole in the Sushi smart contracts and stole $15k before the Sushi Chefs chased them out the kitchen.

rekt.ghost.ioSushiSwap Saved - 0xMaki Speaks OutOut of the frying pan and into the fire - The anonymous developer 0xMaki took on the lead development of SushiSwap after founder Chef Nomi let greed get the better of him.

I think it’s important to take a second to acknowledge the significance of a $15k exploit. Defi has definitely desensitised most people with frequent multi-million dollar hacks. Just a couple of days ago a Compound oracle exploit lead to ~$90m of liquidations.

The reality is that while this isn’t $90m, $15k is still a significant chunk of change.

As white hat legend Samczson told 0xMaki, only in defi is this amount of loss no big deal.

What Happened

This is the best summary of events on Twitter:

Yannick @YannickCrypto

@Juan_Snow1 @SushiSwap @0xMaki @DefiantNews 1. he add liquidity to ETH/MKR pool 2. he create a new pool with the LPtoken he received and ETH 3. he convert the LP token from ETH/MKR to ETH, the sushimaker now deposits to the new created pool 4. he drain the new pool with ETH -> lptoken (from ETH/MKR) swap

The issue was raised by a member of the community on the Sushi discord. 0xMaki immediately reached out to Yearn developers Banteg and Andy, as well as white hats Daniel Que and Samczsun.

After successfully replicating the exploit the guys managed to fix the vulnerability.

The exploit didn’t directly affect users, instead leeching gathered fees. Sushi have reimbursed the funds from their treasury.

What happened next is where it gets interesting.

0xMaki was able to recognise that the individual’s address had been receiving discord community channel tips (SNX and ESD). With the help of a Synthetix community member he believes he has identified the user, based on the timestamps of the tips.

The individual has denied any involvement but 0xMaki said that he’s grateful for what happened. He’s encouraged them to find more vulnerabilities as part of their ongoing bug bounty programme.

0xMaki 源義経 @0xMaki

Post-Mortem when I wake up, exploiter got around 10-15k so far from the 0.05% fees cut of Sushiswap. LP - xSushi holders are safe! It is a fascinating one thanks @andy8052 @danielque & sushi core devs for the quick reaction and help. More soon!

JuanSnow @Juan_Snow1

Possible @SushiSwap exploit found? @0xMaki sends exploiter a tx with a message to collect bug bounty. See below 👇 tx with message from 0xMaki https://t.co/1MdXqw9chq Exploiters address: https://t.co/ehh7EassCo @DefiantNews https://t.co/fRpdA1j7y1

Conclusion

This story has a reasonably happy ending, with limited damage and the end-result of a more robust platform. The guys at Rekt do however raise an interesting point. We’re incredibly reliant on the good will, time, and expertise of white hats who receive little compensation for their hard work. Meanwhile black hats with equivalent skillsets rake in millions.

I’d like to see more efforts to fund white hats and show appreciation for everything they do.

Don’t forget to subscribe to RektHQ to stay up to date with the latest defi hacks.

It seems they’re going to be kept busy for the foreseeable future.