White Hats Just Defused a Potential $350M Heist on SushiSwap - CoinDesk - Deepstash
White Hats Just Defused a Potential $350M Heist on SushiSwap - CoinDesk

White Hats Just Defused a Potential $350M Heist on SushiSwap - CoinDesk

Curated from: coindesk.com

Ideas, facts & insights covering these topics:

6 ideas

·

52 reads

Explore the World's Best Ideas

Join today and uncover 100+ curated journeys from 50+ topics. Unlock access to our mobile app with extensive features.

<p dir="ltr">A group of people...

A group of people in the crypto community, led by crypto investment firm Paradigm’s research partner Sam Sun , may have just prevented SushiSwap’s token fundraising platform Miso from losing more than $350 million worth of ether (ETH, -5.98%) , after discovering and fixing a bug on the platform in under just five hours.

In a Dutch auction, investors place bids reflecting the maximum amount that they are willing to pay. Once the bids are collected, the highest bid is declared the winner. After the auction is finalized, unsuccessful bids are returned to their owners.

2

36 reads

<p dir="ltr">A group of people...

A group of people in the crypto community, led by crypto investment firm Paradigm’s research partner Sam Sun , may have just prevented SushiSwap’s token fundraising platform Miso from losing more than $350 million worth of ether (ETH, -5.98%) , after discovering and fixing a bug on the platform in under just five hours.

In a Dutch auction, investors place bids reflecting the maximum amount that they are willing to pay. Once the bids are collected, the highest bid is declared the winner. After the auction is finalized, unsuccessful bids are returned to their owners.

2

1 read

The vulnerability

The SushiSwap team and Paradigm’s Sun , in separate posts, both identified that, essentially, the vulnerability was centered around the ability to batch multiple calls to commitEth  and reuse a single msg.value  across every commitment, allowing an attacker to bid in the auction for free.

2

7 reads

“Combining batch with commitEth (a function on Miso Dutch Auction) creates a two-pronged issue where a user can both put up a commitment higher than ‘msg.value ’ thereby draining any unsold tokens and additionally drain the raised funds on the contract as refunds if the auction has reached max commitment,” SushiSwap’s team wrote in the post.

2

5 reads

“The bug was created when a convenience function for wallet addresses interacted with the refund mechanism of the auction contract,” explained Duncan Townsend, CTO at Immunefi, a bug bounty platform for DeFi that was also recruited to help solve the issue.

“Users could over-bid and get a refund of the difference between the current bid and the amount they submitted, but the refund could be repeated to drain the auction contract,” Townsend added.

2

1 read

The smart contracts that underpin DeFi are complex, combining “composable” Lego blocks to create new contracts and protocols. “This incident shows that even safe contract-level components can be mixed in a way that produces unsafe contract-level behavior. There’s no catch-all advice to apply here like ‘check-effect-interaction,’ so you just need to be cognizant of what additional interactions new components are introducing,” Sun said.

2

2 reads

IDEAS CURATED BY

decebaldobrica

#engineering, #machinelearning and #crypto

Decebal Dobrica's ideas are part of this journey:

Hiring Without an Office

Learn more about technologyandthefuture with this collection

How to build trust in a virtual environment

How to manage remote teams effectively

How to assess candidates remotely

Related collections

Read & Learn

20x Faster

without
deepstash

with
deepstash

with

deepstash

Personalized microlearning

100+ Learning Journeys

Access to 200,000+ ideas

Access to the mobile app

Unlimited idea saving

Unlimited history

Unlimited listening to ideas

Downloading & offline access

Supercharge your mind with one idea per day

Enter your email and spend 1 minute every day to learn something new.

Email

I agree to receive email updates