The hacker detected the double-spend vulnerability on Sushi Samurai’s code and transferred his funds to himself 25 times before cashing out nearly $5 million.
The token of Super Sushi Samurai, a Blast-based Telegram game, plunged over 99% on Thursday after an attacker drained nearly $5 million from the project’s liquidity provider (LP) wallet. The project confirmed the development in its official Telegram group and also in an X post, stating it was a mint-related drain.
“We have been exploited, it’s mint related. We are still looking into the code. Tokens were minted and sold into the LP,” the project noted in a Telegram update.
The exploit came just four days after Sushi Samurai launched its token. SSS was launched on March 17, with the project looking to start offering the game today.
Exploiter Dictated a Code Bug
According to a Yuga Lab developer, the explorer took advantage of a bug in Sushi Samurai’s code that doubled users’ accounts if they transferred their entire balance to themselves. He further noted that the hacker sent all his funds to himself about 25 times, doubling his balance at each transfer, then cashed out the 1310 ETH realized.
The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.
The order of operations decrements the balance for "from" and then sets the balance for "to" – if these are the same address, the… pic.twitter.com/RStMcFH3sy
— Coffee ☕️🍌 (@coffeexcoin) March 21, 2024
Luckily for Sushi Samurai, the hacker seemed white-hat after attempting to contact the team. The exploiter dropped a BlastScan message describing the operation as a “white-hat rescue hack.”
“Hi team, this is a white hat rescue hack. Let’s work on reimbursing the users. Please reach out via Blockscan chat from the SSS deployer,” the hacker wrote.
The Sushi Samurai team also confirmed they are already in contact with the hacker.
Following the drain, SSS lost over 99% of its value and is trading at $0.00000000001919. Its market cap also plunged from $27 million to nothing in minutes.
The exploit came just one month after the ERC-X token Miner crashed over 99% to a similar code loophole. According to the report, the drainer undiscovered the double-spend vulnerability and drained the project of $10 million.
