White Hats Just Defused a Potential $350M Heist on SushiSwap - CoinDesk
Curated from: coindesk.com
Ideas, facts & insights covering these topics:
6 ideas
·52 reads
Explore the World's Best Ideas
Join today and uncover 100+ curated journeys from 50+ topics. Unlock access to our mobile app with extensive features.
A group of people in the crypto community, led by crypto investment firm Paradigmâs research partner Sam Sun , may have just prevented SushiSwapâs token fundraising platform Miso from losing more than $350 million worth of ether (ETH, -5.98%) , after discovering and fixing a bug on the platform in under just five hours.
In a Dutch auction, investors place bids reflecting the maximum amount that they are willing to pay. Once the bids are collected, the highest bid is declared the winner. After the auction is finalized, unsuccessful bids are returned to their owners.
2
36 reads
A group of people in the crypto community, led by crypto investment firm Paradigmâs research partner Sam Sun , may have just prevented SushiSwapâs token fundraising platform Miso from losing more than $350 million worth of ether (ETH, -5.98%) , after discovering and fixing a bug on the platform in under just five hours.
In a Dutch auction, investors place bids reflecting the maximum amount that they are willing to pay. Once the bids are collected, the highest bid is declared the winner. After the auction is finalized, unsuccessful bids are returned to their owners.
2
1 read
The vulnerability
The SushiSwap team and Paradigmâs Sun , in separate posts, both identified that, essentially, the vulnerability was centered around the ability to batch multiple calls to commitEth  and reuse a single msg.value  across every commitment, allowing an attacker to bid in the auction for free.
2
7 reads
âCombining batch with commitEth (a function on Miso Dutch Auction) creates a two-pronged issue where a user can both put up a commitment higher than âmsg.value â thereby draining any unsold tokens and additionally drain the raised funds on the contract as refunds if the auction has reached max commitment,â SushiSwapâs team wrote in the post.
2
5 reads
âThe bug was created when a convenience function for wallet addresses interacted with the refund mechanism of the auction contract,â explained Duncan Townsend, CTO at Immunefi, a bug bounty platform for DeFi that was also recruited to help solve the issue.
âUsers could over-bid and get a refund of the difference between the current bid and the amount they submitted, but the refund could be repeated to drain the auction contract,â Townsend added.
2
1 read
The smart contracts that underpin DeFi are complex, combining âcomposableâ Lego blocks to create new contracts and protocols. âThis incident shows that even safe contract-level components can be mixed in a way that produces unsafe contract-level behavior. Thereâs no catch-all advice to apply here like âcheck-effect-interaction,â so you just need to be cognizant of what additional interactions new components are introducing,â Sun said.
2
2 reads
IDEAS CURATED BY
Decebal Dobrica's ideas are part of this journey:
Learn more about technologyandthefuture with this collection
How to build trust in a virtual environment
How to manage remote teams effectively
How to assess candidates remotely
Related collections
Similar ideas
8 ideas
5 ideas
What Are Liquidity Pools in DeFi and How Do They Work? | Binance Academy
academy.binance.com
3 ideas
Everything you need to know About DeFi Loans
101blockchains.com
Read & Learn
20x Faster
without
deepstash
with
deepstash
with
deepstash
Personalized microlearning
â
100+ Learning Journeys
â
Access to 200,000+ ideas
â
Access to the mobile app
â
Unlimited idea saving
â
â
Unlimited history
â
â
Unlimited listening to ideas
â
â
Downloading & offline access
â
â
Supercharge your mind with one idea per day
Enter your email and spend 1 minute every day to learn something new.
I agree to receive email updates