A pseudonymous cryptocurrency pentester, known for his white hat hacking activities, found himself in a race against time and malicious bots after identifying a vulnerability in SushiSwap’s RouterProcessor2 contract.
The hacker managed to secure 100 ethereum (ETH) of the affected funds before the malicious bots copied the attack, resulting in a loss of more than $3.3 million (approximately 1,800 ETH). The hacker, whose identity remains anonymous, tweeted today that they had successfully “hacked” 0xSifu for 100 ETH and were willing to return the funds if contacted. Later, Sifu thanked him in a tweet for the restitution.
However, their attempt to protect the platform was thwarted by the quick actions of miner removable value (MEV) bots, which deployed contracts and replicated the attack before the vulnerability could be fully addressed.
Miner Extractable Value (MEV) bots are automated programs designed to exploit profit opportunities within blockchain networks, specifically within the Ethereum ecosystem. These bots take advantage of the inherent design of decentralized networks, where miners are responsible for validating and ordering transactions within blocks. MEV bots seek to capitalize on the power miners have to choose which transactions to include in a block and the order in which they are placed.
The main focus of MEV bots is to identify and act on profitable opportunities, such as frontrunning, backrunning, arbitrage, and sandwich attacks. These strategies allow MEV bots to benefit from knowledge of pending transactions by manipulating their location within the block. When Trust was asked why he did not just warn Sifu, he replied: wrote:
“I wasn’t aware of how ridiculously advanced MEV bots are (rebuilt 3 TX), I thought every second mattered and wanted to hack a bunch more addresses.”
The question apparently hinted at the cybersecurity principle of responsible disclosure. Responsible disclosure is a tenet within the cybersecurity community that emphasizes the ethical reporting of discovered vulnerabilities in software or systems to the respective developers or vendors before making the information public. The primary goal of responsible disclosure is to provide the affected party with the opportunity to address and fix the vulnerability, thereby minimizing the risk of exploitation by malicious actors.
In the context of cryptocurrencies and blockchain technology, preemptive hacking to secure funds in a vulnerable position might not be a favorable option due to the public nature of crypto transactions. In decentralized networks, transaction data is transparent and accessible to all participants.
This opening allows bad actors to observe and imitate such transactions. Consequently, preemptive hacking is only reasonable when all vulnerable funds can be secured quickly enough, preventing bad actors from replicating the attack in time.
Cyber cryptosecurity firm PeckShield heavy on about the situation, revealing that the RouterProcessor2 contract on SushiSwap had an approval-related bug that led to the substantial loss of 0xSifu. The firm urged users who had approved the contract to revoke their approval as soon as possible, providing a link to the contract address on Etherscan.
Jared Grey, lead developer of SushiSwap, confirmed the presence of the approval error in the RouterProcessor2 contract via a tweet. He urged users to immediately revoke their approval and assured them that the platform’s security teams were working to mitigate the issue. Gray also reported that a significant portion of the affected funds had been secured through a white hat security process.
In a follow-up tweet, Gray announced the recovery of more than 300 ETH from CoffeeBabe, a user who had managed to recover part of the stolen funds. SushiSwap is also in contact with the Lido team to secure an additional 700 ETH.
This incident highlights the ever-evolving landscape of cryptocurrency security, where white hat hackers work to protect platforms and assets, but malicious actors remain a constant threat. It also underscores the need for increased security measures and collaboration between platforms and white hat hackers to address vulnerabilities and minimize losses.
