SushiSwap is back – It’s been a while since we last talked about a bug exploit , those exploitations of loopholes that are unfortunately too often found in decentralized finance (DeFi). The scandal of the day happened via the decentralized exchange pools of DEX SushiSwap.
How to convert 0.001 ETH to 81.68 ETH
As crypto-media Rekt explains , a hacker discovered and exploited a loophole in a low-cash pool on SushiSwap .
It is more precisely the pool concerning the DIGG token of the Badger DAO project . The hacker thus managed to appropriate all the transaction costs generated during 24 hours by these transactions. Costs that all liquidity providers in the pool would normally have had to share among themselves.
Using only 0.001 ether (or $ 1.31), the pirate managed to embezzle 81.68 ethers for his own account , a breakage of just over $ 107,000 at the current price!
As we can see in the transaction in question below, the individual transformed his small initial bet into ether into DIGG token , then into Wrapped BTC (WBTC, the tokenized version on ETH of BTC), before recovering his Theft in Wrapped ETH .
A “little” warning for SushiSwap’s billions in cash?
Rekt explains that this was an old flaw , however, and for which a fix had already been developed.
The problem is that this fix had to be „manually applied to each new pool“ , and obviously the DIGG / WBTC pool we are talking about today did not receive this fix on time.
But the situation could have been much more dramatic according to Rekt:
“Upon further research, we discovered that while there was this exploit, the damage was contained, and what had been seen as a threat to the entire SushiSwap protocol was simply there. work of a clever scavenger who collected crumbs still available. „
The conversation the Rekt team had on Discord with SushiSwap was not reassuring. They claim that they do not automate the application of the fix. Thus, the risk of forgetting is very present.