SushiSwap denies reports of billion dollar bug

September 23, 2021 Coin Telegraph

Claims by a self professed white-hat hacker about a major security risk to SushiSwap liquidity providers have been rejected by one of the exchange’s devs.

The developer behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $1 billion worth of user funds under threats, stating they went public with the information after attempts to reach out to SushiSwap’s developers resulted in inaction.

The hacker claims to have identified a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and the pools on SushiSwap’s non-Ethereum deployments such as Polygon, Binance Smart Chain and Avalanche.

While the emergencyWithdraw function allows liquidity providers to immediately claim their LP tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.

“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,” the hacker claimed, adding:

“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.”

However, SushiSwap’s pseudonymous developer has taken to Twitter to reject the claims, with the platform's "Shadowy Super Coder Mudit Gupta stressing that the threat described “is not a vulnerability” and that “no funds are at risk.”

Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:

“The hacker's claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”

The hacker said they had bee instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code — after they first reached out to the exchange.

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating they were aware of the matter described.

Poly Network hacker returns nearly all funds, refuses $500K white hat bounty

August 12, 2021 Coin Telegraph

Poly Network hacker returns nearly all funds, refuses 0K white hat bounty

Business

"The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back," said the hacker.

The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.”

According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used "a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack.

The hacker had been communicating with the Poly Network team and others through embedded messages in Ethereum transactions. They seemed to have not planned to transfer the funds after successfully stealing them, and claimed to do the hack “for fun” because “cross-chain hacking is hot.”

However, after speaking with the project and users, the hacker returned $258 million of the funds on Wednesday. Poly Network said it determined that the attack constituted “white hat behavior” and offered the hacker, whom it dubbed “Mr. White Hat,” a $500,000 bounty:

"We assure you that you will not be accountable for this incident. We hope that you can return all the tokens as soon as possible [...] We will send you the 500k bounty when the remainings are returned except the frozen USDT.”

"The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back," said the hacker.

With the remainder of the funds, with the exception of the frozen USDT, now returned, the biggest hack in decentralized finance seems to be coming to an end. Though the hacker’s identity has yet to be made public, Chinese cybersecurity firm SlowMist posted an update shortly after news of the hack broke, saying its analysts had identified the attacker's email address, IP address and device fingerprint.

Millions Drained in ForceDAO Attacks, White Hat Returns Funds

April 4, 2021 The Crypto Briefing

Another multi-million dollar rug pull has hit the DeFi space. This weekend, ForceDAO is the victim.

Disaster for ForceDAO

ForceDAO has suffered a major attack.

The exploit centers on a bug in the xFORCE contract’s code, which allowed anyone to call the “deposit” function regardless of whether they were holding FORCE tokens. That meant it was possible to mint xFORCE tokens from the contract without locking any tokens in the vault.

Anyone could then exchange these tokens for FORCE by calling the “withdraw” function in the contract.

Several attackers took advantage of the exploit earlier this morning. One of them took about 14.8 million FORCE, which had a notional value of around $34 million at the time. They’ve since returned the funds to the pool.

However, four others drained another 6.75 million tokens and have begun exchanging their takings for ETH on various exchanges. As the white hat attacker had already found the exploit, liquidity plunged, which meant every subsequent attacker earned significantly less for their FORCE.

Mudit Gupta, blockchain team lead at Polymath Network, detailed the attack in a tweetstorm.

xFORCE contract from @force_dao hacked and drained by a whitehacker. In the FORCE token, the transfer functions return false rather than reverting when the sender doesn't have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value. pic.twitter.com/lPo9vJ48bs

— Mudit Gupta (@Mudit__Gupta) April 4, 2021

ForceDAO organized a highly anticipated airdrop yesterday, in which FORCE tokens were distributed to active Ethereum users. It was trading at around $2.30 earlier this morning but has since plummeted. At one point, it was down 95% and is now worth around $0.26.

One of the black hat attackers used an address linked to the centralized exchange FTX, which gives some hope that the funds may be recovered. Most of the rest, though, has already been sold through the decentralized exchanges 1inch and SushiSwap.

ForceDAO took to Twitter to confirm the attack. According to the team, a post-mortem will follow.

ATTENTION

Our team is aware of the xFORCE contract exploit and has identified the nature of the issue.

There are no further funds available on the xFORCE contract to be exploited.

All other vaults are safe.

We will provide a post-mortem and next steps over the coming hours.

— Force (@force_dao) April 4, 2021

This is a developing story and will be updated as further details surface.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. They also had exposure to SUSHI in a cryptocurrency index.

White Hat