Decentralized finance protocol, SushiSwap has reported a security breach involving one of its platforms, the Minimal Initial SushiSwap Offering (MISO) portal. The portal includes open-source smart contracts that makes it easy for new crypto projects to issue tokens that will eventually be listed on the SushiSwap exchange.
However, SushiSwap CTO Joseph Delong reported Friday that a malicious code was injected in the front-end by an anonymous contractor who had access to Sushiswap’s Github account.
The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.
864.8 ETH was stolen, address belowhttps://t.co/cDZeBqFV4P
— Joseph ???? Delong ???? (@josephdelong) September 17, 2021
Amid an ongoing NFT auction for automobile-focused Jay Pegs Auto Mart, the attacker replaced the contract’s address with another address that he controls, allow him to receive funds originally designed for the NFT issuer.
Before the SushiSwap team identified and fixed the malicious code, the attacker had received 864.8 ETH (appr. $3 million) which is still available on the address at the time of writing this line.
Sushiswap MISO Attacker is a Known Suspect
Aside from being linked to a known Twitter handle, the SushiSwap attacker is also noted to have worked with other DeFi Protocols including Yearn Finance.
On-chain data shows that the address which funded the attacker’s wallet has withdrawn funds from Binance in the past and has also interacted with FTX.
Delong noted that SushiSwap’s team have contacted crypto exchanges, Binance and FTX to disclose personal information regarding the alleged suspect. However, both platform’s declined to do so despite the “time sensitive” nature of the matter.
SushiSwap’s Delong says the project plans to file an file an “IC3 complaint with the FBI” if the attacker does not return the funds by 8 am ET.
Meanwhile, the price of SushiSwap’s native token, SUSHI suffered a 17% decline in the aftermath of the incident.
Update: A few hours after our initial report, the Sushiswap MISO attacker returned all of the ETH stolen from the project.
