Cryptocurrency Launch Pad Hit By $ 3 Million Supply Chain Attack


Cryptocurrency Launch Pad Hit By $ 3 Million Supply Chain Attack

SushiSwap’s CTO says the company’s MISO platform has been affected by an attack on the software supply chain. SushiSwap is a community driven program decentralized finance (DeFi) platform that allows users to trade, earn, lend, borrow, and leverage crypto assets, all from one place. thrown out at the beginning of this yearSushi’s newest offering, Minimal Initial SushiSwap Offer (MISO), is a token launch pad that allows projects to launch their own tokens on the Sushi network.

Unlike cryptocurrency currencies that need a native blockchain and a substantial foundation, DeFi tokens are an easier alternative to implement as they can work on an existing blockchain. For example, anyone can create their own “digital tokens” on top of the Ethereum blockchain without having to recreate a new cryptocurrency entirely.

Attacker Steals $ 3 Million In Ethereum Via GitHub Pledge

In a Twitter thread today, SushiSwap’s CTO Joseph Delong announced that an auction on the MISO launch pad had been hijacked via a supply chain attack. An “anonymous contractor” with the GitHub identifier AristoK3 and access to the project’s code repository had prompted a commit of malicious code that was distributed on the front-end of the platform.

A software supply chain attack occurs when an attacker interferes with or hijacks the software manufacturing process to insert its malicious code so that a large number of consumers of the finished product are adversely affected by the attacker’s actions. This can happen when code libraries or individual components used in a software build are contaminated, when software update binaries are “Trojans”, when code signing certificates are stolen, or even when a server providing it is violated. software as a service. Thus, compared to an isolated security breach, successful supply chain attacks produce much more widespread impact and damage.

In the MISO case, Delong says that “the attacker inserted his own wallet address to replace the auction in the creation of the auction “:

Through this exploit, the attacker was able to funnel 864.8 Ethereum coins (around $ 3 million) into his wallet.

So far, only one car market auction (1, 2) has been exploited on the platform, according to Delong, and all affected auctions have been patched. The final amount of the auction is aligned with the number of Ethereum coins stolen.

Stolen funds from Auto Mart auction on SushiSwap's MISO platform
Enlarge / Stolen funds from Auto Mart auction on SushiSwap’s MISO platform

SushiSwap has requested the attacker’s Know Your Customer records from cryptocurrency exchanges Binance and FTX in an effort to identify the attacker. Binance said publicly who is investigating the incident and offered to work with SushiSwap.

“Assuming the funds are not returned by 8:00 ET. We have instructed our attorney [Stephen Palley] to file an IC3 complaint with the FBI, “Delong said.

Ars has seen the balance of the attacker’s wallet release during the last few hours, indicating that the funds are changing hands. Recent Transactions (1, 2) show the “Miso Front End Exploiter” returning the stolen coin to SushiSwap in the company group called “Multisig operation. “

It is rare for attackers and cybercriminals to return stolen funds to their rightful owner for fear of law enforcement repercussions, as we saw in the $ 600 million Poly Network heist.

But how did the attacker get access to GitHub?

According to SushiSwap, the rogue contractor AristoK3 pushed the confirmation of malicious code 46da2b4420b34dfba894e4634273ea68039836f1 to the repository “miso-studio” of Sushi. Since the repository appears to be private, GitHub throws a 404 “not found” error to those who are not authorized to view the repository. So how did the “anonymous contractor” get access to the project repository in the first place? Surely there must be a research process somewhere on SushiSwap?

Although anyone can offer to contribute to a public GitHub repository, only certain people can access or contribute to private ones. And even then, ideally, confirmations are verified and approved by trusted members of the project.

Cryptocurrency enthusiast Martin Krung, creator of “vampire attack, “wondered if the attacker’s pull request was properly reviewed before merging with the codebase, and received feedback from previous SushiSwap contributors:

A rough analysis compiled by SushiSwap attempts to track down attackers and references multiple digital identities. SushiSwap believes that GitHub user AristoK3 is associated with Twitter identifier eratos1122, although the latter’s answer is not conclusive. “This is really crazy … Please delete it and say ‘sorry’ to everyone … If not, I will share the entire MISO project [sic] that I have (you know very well what I have worked on in the MISO project), ” answered eratos1122.

Because some of the digital identities mentioned in the analysis remain unverified, Ars refrains from mentioning them until more information is available. We have reached out to Delong and the alleged attackers for more information. We are waiting for your responses.




arstechnica.com

Leave a Reply

Your email address will not be published. Required fields are marked *