SushiSwap is the newest victim of a cyberattack. In a supply-chain attack, a cybercriminal stole $3 million from SushiSwap’s MISO cryptocurrency platform.
The hacker compromised Sushi’s private GitHub repository to execute the theft. Researchers from Sonatype found an unnamed contractor working on Sushi’s code repository. After investigation, it became apparent that Sushi’s private GitHub repository (miso-studio) got hacked in one single code commit, and as a result, 864.8 Ethereum tokens (worth $3 million) were stolen. An automobile firm was transferring the stolen funds through MISO’s auction portal.
Surprisingly, the attacker’s $3 million wallet balance began to decline hours after the hack. Soon after the attack, it turned out all the money was returned to SushiSwap’s cryptocurrency reserve in increments of 65 ETH, 100 ETH, and 700 ETH.
“The full funds were returned to the Operational Multisig after a period of discussion in quantities of 100 ETH, 700 ETH, and 65 ETH,” confirmed Sushi in a tweet.
The attacker repaid funds back to the business in a single day, according to the investigators.
The incident echoes with the recent Poly Network heist. A decentralized cross-chain protocol and network Poly Network was hacked last month, and cryptocurrency funds worth $611 million in bitcoin were stolen but later returned in full.
Experts cautioned that this kind of happy ending may not always be the case.
These aren’t the only supply chain attacks troubling crypto businesses. Some other recent attacks include an attack on pNetwork (a cross-chain decentralized financial system) which resulted in the loss of 277 pBTC. At current values, the stolen funds in bitcoin are worth more than $12 million.
Attacks on cryptocurrency exchanges’ supply chains are becoming increasingly common. The SushiSwap issue demonstrates how a minor mistake in the pull request or code review process may have disastrous repercussions.
After the theft incident, SushiSwap has tightened its security barriers against supply chain threats. The company has now implemented additional Git protections, such as securing administrator accounts and master/main branches, requirements of pull request approvals, “automated diff checker implementations,” and signature policy.