SushiSwap Launchpad Miso exploited for $2.9m

The 864 Ether siphoned from SushiSwap’s Launchpad platform Miso has now been fully returned by the anonymous perpetrator.

The Miso platform was exploited yesterday at approximately 4PM UTC, with the hacker stealing  Ethereum worth $2.9m.

The crypto community was notified of the hack by SushiSwap CTO Joseph Delong, who tweeted out a now-deleted thread outlining what happened.

According to Delong, the exploit occurred when an anonymous contractor – GitHub handle AristoK3 – injected malicious code into the platform’s front end and replaced the auction’s wallet address with their own address.

SushiSwap asked both FTX and Binance for their assistance in providing the perpetrator’s KYC information as the wallets used in the exploit were linked to the exchanges’ wallet addresses.

The only auction that was exploited was the Jay Pegs Auto Mart auction – a token sale that enables users to buy an NFT of a customised 2007 Kia Sedona. All other auctions have since been patched.

Delong then issued an ultimatum to the hacker warning them that legal action would be taken via the FBI if the funds weren’t returned by 8am EST.

The thread contained a detailed document that covered all of the wallet addresses used and information that allegedly doxxed the perpetrator, which ultimately led to the full return of the funds.

Delong later confirmed all of the stolen funds had since been returned by the hacker. Delong also noted that the Jay Pegs Auto Mart team had Miso soup delivered to the attacker’s house in an apparent attempt at revenge, much to the delight of the crypto community. Delong and the perpetrator even exchanged apologies on Twitter over the incident, a sign that the situation has been fully resolved.

This is now the second time the Miso platform, which SushiSwap describes as ‘a suite of open-source smart contracts created to ease the process of launching a new project on the SushiSwap exchange’, has been exploited.

Last month, Paradigm team member samczsun discovered a ‘critical vulnerability’ in the MISO platform, which could have resulted in the loss of 109k ETH. The vulnerability was patched within five hours, with samczsun reportedly rewarded with a healthy bounty by SushiSwap for his efforts.