As exploits and hacks run rampant across the DeFi ecosystem, at least one project appears to have fended off the worst of an attack — the once-maligned “vampire” AMM (automated market maker) exchange Sushiswap.
Observers noticed last night that Sushiswap — which got its start leeching liquidity from rival AMM Uniswap — was experiencing an exploit, and that anonymous head developer 0xMaki was taking steps to mitigate it:
Possible @SushiSwap exploit found? @0xMaki sends exploiter a tx with a message to collect bug bounty.
— JuanSnow (@Juan_Snow1) November 29, 2020
See below
tx with message from 0xMakihttps://t.co/1MdXqw9chq
Exploiters address:https://t.co/ehh7EassCo@DefiantNews pic.twitter.com/fRpdA1j7y1
Reports from the Sushiswap Discord channel now indicate that the exploit has been resolved, and that all lost user funds (between $10,000 and $15,000) will be covered by the Sushiswap treasury.
To gain a better understanding of the exploit and what it means for Sushiswap, Cointelegraph spoke to one of the smart contract engineers that 0xMaki personally thanked on Twitter for helping to mitigate its effects: self-described “DeFi degen” and solidity developer ‘andy.’
Post-Mortem when I wake up, exploiter got around 10-15k so far from the 0.05% fees cut of Sushiswap.
— 0xMaki 源 義経 (@0xMaki) November 29, 2020
LP - xSushi holders are safe!
It is a fascinating one thanks @andy8052 @danielque & sushi core devs for the quick reaction and help.
More soon! https://t.co/QmhNMTP28L
According to andy, 0xMaki contacted him at 10pm EDT.
“He (0xMaki) said there was some weirdness going on but was unsure what it was. We spent about 1 hour in a discord call going through transactions until we figured out what the exploit was.”
Andy explained that the attacker wrapped liquidity pool tokens and deployed them to a new pool, allowing the attacker to execute “really weird logic to pull the underlying tokens from the reward contract.”
The affected contracts were patched within hours, and according to 0xMaki the auditing firm Peckshield will be reviewing the changes
Adding a layer of intrigue to the exploit is that 0xMaki and the Sushiswap team attempted to communicate with the exploiter as they searched to find a solution, sending a short message to the exploiters address:
“I see you, we are working on fixing it. Contact me on Discord for a bug bounty - 0xMaki,” the message read.
Similar messages have been a feature of many recent hacks and exploits, including Value DeFi’s flash loan exploit where the exploiter taunted the team (and later returned some of his ill-gained proceeds to a victim claiming to be a nurse), and the earlier Dforce hack, where the attacker returned funds with a note looking to the future.
andy, however, doesn’t think it’s the beginning of a wider trend.
“I don't see it turning into anything just cause it is expensive and inefficient,” he said.
The quick fix may also be a sign that Sushiswap's wider fortunes are on the rise. Sushiswap’s arrival on the scene, founder exitscam, and eventual return of ‘rugpulled’ funds was one of the messiest stories of the wild DeFi summer.
With the passage of time, however, the market is once again showing signs of faith in Sushiswap. The price of the exchange’s SUSHI governance token is up over 100% on the month.
For his part, andy’s faith never wavered and the response to the attack is just another sign of the competency from the new Sushi team.
“They have been heads down working super hard. Just look at all the cool stuff they have released and are working on. It definitely doesn't hurt my view of them but also didn't really change much for me personally as I already thought pretty highly of the team.”