Cryptocurrency launchpad hit $ three million provide chain assault
SushiSwap’s chief technology officer says the company’s MISO platform has been hit by an attack on its software supply chain. SushiSwap is a community-run decentralized financial platform (DeFi) that allows users to exchange, earn, lend, borrow, and use cryptocurrency assets from one place. Sushi’s newest offering, Minimal Initial SushiSwap Offering (MISO), launched earlier this year, is a token launchpad that projects can use to launch their own tokens on the sushi network.
In contrast to cryptocurrency coins, which require a native blockchain and substantial foundations, DeFi tokens are an easier-to-implement alternative as they can work on an existing blockchain. For example, anyone can create their own “digital token” on the Ethereum blockchain without having to re-create a new cryptocurrency.
Attacker steals $ 3 million in Ethereum via GitHub commit
In a Twitter thread today, SushiSwap CTO Joseph Delong announced that an auction on the MISO launchpad was hijacked by a supply chain attack. An “anonymous contractor” with the GitHub handle AristoK3 and access to the project’s code repository had pushed a malicious code commit that was distributed via the platform’s front-end.
A software supply chain attack occurs when an attacker interferes with or hijacks the software manufacturing process in order to inject their malicious code so that a large number of consumers of the finished product are affected by the attacker’s actions. This can happen when code libraries or individual components used in a software build are tampered with, when software update binaries are “trojanized”, when code-signing certificates are stolen, or even when a server running software-as-a- Service is violated. Therefore, successful attacks on the supply chain cause far greater impact and damage than an isolated security breach.
In the case of MISO, Delong says that “when the attacker created the auction, he inserted his own wallet address to replace the AuctionWallet”:
The miso front end has fallen victim to a supply chain attack. An anonymous contractor with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe that this is @ eratos1122.
864.8 ETH was stolen, address below https://t.co/cDZeBqFV4P
– Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
The above tweet has been deleted but has been made available here.
This exploit enabled the attacker to smuggle 864.8 Ethereum coins – around $ 3 million – into his wallet.
So far, according to Delong, only one auction of an automobile market (1, 2) has been exploited on the platform and all affected auctions have been patched. The final amount of the auction depends on the number of stolen Ethereum coins.
Enlarge / Funds stolen from Auto-Mart auction on SushiSwap’s MISO platform.
SushiSwap requested Know Your Customer data of the attacker from the Binance and FTX cryptocurrency exchanges in order to identify the attacker. Binance publicly said it was investigating the incident and offered to work with SushiSwap.
“Provided the funds are not repaid by 8a ET. We hired our lawyer [Stephen Palley] filing an IC3 complaint with the FBI, “Delong said.
Ars has seen the balance on the attacker’s wallet drop in the past few hours, suggesting the funds are changing hands. Recent transactions (1, 2) show that the “Miso Front End Exploiter” is returning the stolen currency to SushiSwap in the company’s pool called “Operation Multisig”.
It is not uncommon for attackers and cybercriminals to return the stolen funds to their rightful owners for fear of the consequences of law enforcement, as we saw in the $ 600 million heisted Poly Network.
But how did the attacker get access to GitHub?
According to SushiSwap, the fraudulent contractor AristoK3 has moved the malicious code commit 46da2b4420b34dfba894e4634273ea68039836f1 to Sushi’s “miso-studio” repository. Since the repository appears to be private, GitHub will throw a 404 “not found” error to those who do not have permission to view the repository. So how did the “anonymous contractor” even get access to the project repository? Surely there has to be a review process somewhere at SushiSwap?
Although anyone can offer to contribute to a public GitHub repository, only select people can access or contribute to private ones. And even then, the commits should ideally be reviewed and approved by trusted members of the project.
Cryptocurrency enthusiast Martin Krung, creator of the “Vampire Attack,” wondered if the attacker’s pull request was properly verified before merging into the code base, and he received insights from contributors:
I’ve seen PRs with 40+ files changed that were approved instantly. There is no code ownership.
– adamazad.eth (@adamzazad) September 17, 2021
A rough analysis compiled by SushiSwap (now removed from SushiSwap, but secured here) tries to track down the attacker (s) and points to several digital identities. SushiSwap assumes that GitHub user AristoK3 is associated with Twitter handle eratos1122, although its answer is ambiguous. “This is really crazy … Please delete it and say ‘Sorry’ to everyone … If not, I’ll share the entire MISO project [sic] that I have (you know very well what I was working on on the MISO project) “replied eratos1122.
Since some of the digital identities mentioned in the analysis remain unchecked, Ars does not mention them until further information is available. We contacted Delong and the alleged attackers to find out more. We are waiting for your answers.