Super Sushi Samurai, a blockchain game native to layer-2 solution Blast, was exploited hours before its much-anticipated gaming product was launched.
The exploit, reportedly orchestrated by a white hat hacker, has resulted in a loss of $4.6 million due to a bug in its smart contract code.
Smart Contract Bug Exploited
According to an announcement from the Super Sushi Samurai team, the exploit was due to a bug in the smart contract code, allowing an unauthorized party to initiate an infinite mint function. This resulted in the creation of an excessive number of tokens that were subsequently sold into the liquidity pool.
We have been exploited, it’s mint related. We are still looking into the code. Tokens were minted and sold into the LP.
Transaction:https://t.co/F4XeqdyJu2the exploited funds are in this wallet: https://t.co/NWeTu5vMkj
— Super Sushi Samurai | SSS (@SSS_HQ) March 21, 2024
CertiK, an on-chain security firm, confirmed the extent of the exploit, stating that $4.6 million worth of tokens were affected. According to CoinGecko data, the exploit led to a 99% token value slippage following an unauthorized token dump. The attacker managed to get 1310 ETH from the token’s main liquidity pool by exploiting the smart contract vulnerability.
Investigations into the incident revealed that an unauthorized party acquired 690 million SSS tokens and initiated a series of transactions through an attack contract designed for this purpose.
The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.
The order of operations decrements the balance for “from” and then sets the balance for “to” – if these are the same address, the… pic.twitter.com/RStMcFH3sy
— Coffee ☕️🍌 (@coffeexcoin) March 21, 2024
Exploiting a vulnerability within the platform’s update function, the attacker duplicated the tokens in their possession 25 times, inflating the quantity to 11.5 trillion, which was then exchanged for approximately 1,310 ETH.
Recovery Efforts
Following the breach, Super Sushi Samurai has actively engaged with its community, providing updates and assurances through its official Telegram channel and other social media platforms.
In an X post, they revealed that the exploit was conducted by a white hat hacker who is currently in communication with their team. The hacker’s message, visible on Blastscan, indicated that it was a rescue mission and plans to reimburse affected users were underway.
They have also disclosed the address containing the compromised funds to facilitate tracking and potential recovery of the lost assets and that they are working with the white hat hacker to ensure the safe return of funds.
1. Post-mortem:
The token contract has a bug where transferring your entire balance to yourself doubles it. h/t @coffeexcoin2. Damage details:
total eth in pool before exploit: 1339.50 ETH
Whitehat: 1,310.04 ETH
Blackhat : 40.28 ETH
we remove LP and got: 29.09 ETH3. Update:…
— Super Sushi Samurai | SSS (@SSS_HQ) March 22, 2024
Meanwhile, a “post-mortem” update from Super Sushi Samurai outlines the extent of the damage, with negotiations ongoing to reach a resolution that safeguards both users and the white hat hacker involved in the incident.
LIMITED OFFER 2024 for CryptoPotato readers at Bybit: Use this link to register and open a $500 BTC-USDT position on Bybit Exchange for free!