On 17th September, an NFT auction on DeFi exchange SushiSwap's MISO launchpad was subjected to a supply chain attack, in which a hacker changed a smart contract address to one they control, siphoning off $3 million in Ethereum.

The issue was initially made public by SushiSwap's Chief Technology Officer, Joseph Delong, who tweeted on Thursday: “The Miso front end has become the victim of a supply chain attack. An anonymous contractor with the GH handles AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.864.8 ETH was stolen."

An attacker took advantage of a flaw in the Miso platform during the NFT token sale auction. A nameless contractor who used the AristoK3 alias on Github injected malicious code into the Miso user interface. In the afternoon of September 16, 864.8 ETH was transferred. 

This attack type is related to open-source software libraries, according to the US National Center of Counterintelligence and Security. Etherscan has identified the address as "related with a hack." Furthermore, the attackers changed the contract address to one in his possession.

SushiSwap also requested to obtain the hacker's know-your-customer (KYC) information from cryptocurrency exchanges FTX and Binance, "but they have resisted on this time-sensitive matter," according to Delong.

“I recommend that you test your own user interface in order to identify exploits early on,” said Delong.

The company has also asked their lawyer to “file an IC3 complaint with the FBI” if the stolen cash was not returned the funds by Friday at 8 AM EST.

In July, the DeFi platform announced an update on its highly awaited project "7/20", the launch of Trident, a new automated marketplace maker that is aimed as the most efficient company on the market.

Pavan A

CBW - External Analyst

INDIA