Security expert of a high-profile VC firm Paradigm, who goes by the @samczsun name on Twitter, has shared how he spotted and reported one of the most critical bugs in Ethereum DeFi segment’s history.
“Two rights might make a wrong”
According to an exciting story shared by @samczsun on the official Paradigm's website, he noticed a discussion in Telegram between Ethereum (ETH) developers about the MISO, a novel SushiSwap-centric token sale instrument.
Auditor's logs, 16th of August. I found a critical vulnerability in SushiSwap's MISO platformhttps://t.co/untzdxay7q— samczsun (@samczsun) August 17, 2021
The white-hat hacker started checking the architecture of the project and noticed two functions with no access control and one function that had not been properly initialized.
But then, he found way more sensitive bugs: due to the flaws in MISO Dutch Auction design, hypothetical malefactors were able to drain all the liquidity from the $350 million contract.
The expert admitted that the vulnerability was similar to the flaw identified in the Opyn DeFi contracts. In early August, 2020, it was drained of almost 370,000 USD Coins (USDC).
All is well that ends well
To double-check his findings, Mr. Samczsun contacted his colleagues Georgios Konstantopoulos, Dan Robinson and SushiSwap (SUSHI) CTO Joseph Delong.
The developers decided to reach the team behind the auction (BitDAO) and offer them to finalize the auction manually by purchasing back all tokens available.
As a result, all funds were saved in five hours. Mr. Samszun concluded that using 'safe' components does not necessarily guarantee the safety of the whole system.
As covered by U.Today previously, the white-hat hacker of Poly Network is returning funds to their victims. Also, the team of Poly Network offered them a role of Chief Security Advisor along with a $0.5 million bounty.