SushiSwap Saved - 0xMaki Speaks Out

sushiswap - 0xmaki

read this article also in:

en - es - fr - ru - zh

Out of the frying pan and into the fire.

The anonymous developer 0xMaki took on the lead development of SushiSwap after founder Chef Nomi let greed get the better of him.

After the end of DeFi Summer and the fall of the food farm, many assumed SushiSwap to be dead and gone. However, their developers never stopped building, and SushiSwap has recently returned with a new menu.

いらっしゃいませ!!!

However, it’s not all been easy in the Omakase bar.

Late last night, an anonymous actor poked a hole in their smart contracts and stole ~$15k before the team of Sushi chefs chased them out of the kitchen.

rekt reached out to 0xMaki to hear his side of the story.

0xMaki: Since the Nansen report, I had been serving the Sushibar myself in order to mitigate arb opportunities. I had seen a few small weird transactions, but assumed nothing bad was happening since the bar was still working fine.

The first micro-tx came maybe 2-3 days ago but yesterday it became automated, “industrial level” lets say.

Here’s the first mention of an issue with the Sushibar. (Discord)

Monstar

@0xMaki 源 義経 what's going on with the sushibar? all sorts of weird transactions in there and it looks like the people staking the bar aren't getting any of the sushi from them

TX 1

TX 2

TX 3

0xMaki 源 義経 replied to Monstar

it is working as intended it is just very very very very small amount from my understanding

seems like a loosing tx, looking at it

Monstar

I don't think that's right

because the amount in the bar available to claim went down significantly from those transactions

it seems like they are claiming the LP tokens themselves (not sure how that's possible) instead of claiming sushi like it's supposed to

so it's not converting to sushi and rewarding stakers

0xMaki 源 義経

looking with someone atm

maybe its just boring app that is acting odd

Monstar

i think people figured out a way to bypass boring app(edited)

and not share the sushi with everyone in the bar

but i don't know how to replicate what they are doing so i can't test it

yeah, they definitely are

https://etherscan.io/tx/0x7c6af5ca27ceb04aad514ddcaee8afc6dd4eb79d0816e24b007e7db205e93ce3

https://etherscan.io/address/0x1925e832c22522e0d9947ee4677120b2f28e4cd4#internaltx you can see all the claims from that one wallet here(edited)

0xMaki 源 義経

@Monstar we have the steps working on a fix atm no funds are in trouble, just an exploit of the sushibar for the fees, sucks but it is a good bug bounty

we will forego 10k ish for today as people in the Sushibar

rekt: Thanks for the link. What were your first thoughts?

0xMaki: My first impressions were, there’s no way the bar would be having an issue right?! It must be on the frontend.. The tx didn’t make sense. But then the bar wasn’t raking in money when it should have had way more inside.

About 15 minutes later I realise it’s not good, so I immediately contact Banteg

Banteg couldn’t help, 6am his time and he’d been busy working on the pickle / cornichon thing. All the Sushi devs were asleep - Europe / Tokyo timezone, I’m the only one in NA.

rekt: Who did you get to help?

0xMaki: I got the help of Andy a strategist at yEarn / ex-makerdao smart contract engineer and Daniel Que ex Coinbase

rekt: How long did it take to fix?

0xMaki: It took 3 - 4 hours to reproduce and find the issue.

rekt: How much was lost?

0xMaki: Only 15k lost because the sushibar only accrues 20-30k per day. 0.05% goes to the pools, and it all needs to be done manually, with a risk that the tx will fail.

rekt: Hack or exploit?

0xMaki: Exploit totally, a smart one - and he deserves the funds. I think I’ve found him btw…

rekt: Are you more impressed or embarrassed?

0xMaki: I’m impressed totally! There is no way I’m embarrassed! It’s fascinating to see all these hacks / exploits happening, even with robust audits there’s always some sort of new scenario emerging that we wouldn’t necessarily have planned or thought about.

This makes the ecosystem stronger and more resilient.

We only lost 15k from this attacker, maybe there were other individuals doing the same, I’ll need to take a closer look - we spotted this one because he started to affect the whole bar.

Anyway, at around 23:28 my time we (0xMaki and Andy) started to fix the issue.

Then we were inspecting the smaller transactions, just to check they were benign, and then - shit - turns out they are not.

Andy had just come back from a flight, he was jet lagged and couldn’t stay up, he had to go to sleep, so it was just me, until…

(samczsun)

rekt: How did he find out?

0xMaki: I’d contacted him since I’d been left alone without any .sol jedi.

rekt: .sol-diers

0xMaki: but sadly... it was late and he had plans like any sane person on a saturday night amirite?!

Back to square, one no one to help...

Tried Chef Nomi, all the core devs, leaving a step by steps of the process in the main team channel in the hope someone wakes up

Then I remembered Daniel, someone who had been keeping us in check since the start, so I contacted him, got on a call, briefed him.

rekt: Do you still speak to Nomi?

0xMaki: No.

0xMaki: 02:35 and we had a reproduction!!! We had figured out how the exploit worked and were able to reproduce it, so we could work on a fix.

03:19 we had the fix.

0xMaki: Things were looking better, the team was awakening and working on a fix. In the meantime - I turned to our exploiter, and saw that he was mainly a holder of SNX and ETH.

I look through his tx - this wasn't an account made to hack, this was someone poking around and finding an exploit.

rekt: What makes you say that?

0xMaki: Tips. He received numerous tips in SNX and ESD, so he is someone hanging out in both communities, most likely Discord.

I cross referenced who received and who sent certain tips across multiple dates, and bingo…

An insider from the SNX community helped me to identify the recipients of tips.

So that was that, the whole team was awake, we had a preliminary fix, and the attack had stopped. That’s when the news reached Twitter.

Editors Note: We've since received the following indisputable evidence from the suspect -

"could never be me"

0xMaki: Nobody lost any funds since the money was pure profits destined to xSushi holders. We will be sending from our treasury 15k worth of Sushi divided pro-rata.

rekt: Nothing heavy then, a light meal! Any final message to the suspect?

0xMaki: Contact me! We have more smart contracts for you to poke at & we pay bug bounties!

I’d also like to thank everyone involved in the story, including the attacker.

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.