$3 Million Cryptocurrency Heist Stemmed from a Malicious GitHub Commit

SushiSwap’s MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack, as I reported on Friday.

By making just one malicious code commit to Sushi’s private GitHub repository called “miso-studio,” the attacker could alter the front-end for the company’s auction site, and replace the authentic wallet address with their own.

As such, the 864.8 Ethereum tokens–currently worth approximately $3 million in cash–collected for an automobile auction were diverted to the attacker’s wallet once the auction was finalized.

Sushi released a brief postmortem report of the incident, attributing the problem to a slip in their Git procedure:

Sponsorships Available

Sponsorships Available

“On Friday, September 17, Miso suffered a supply chain exploit, whereupon the fund wallet address was fixed to [the attacker’s wallet] for ETH and WETH (Ethereum format) auctions.”

“The studio repo had a procedure to open PRs on the dev branch and go through review to merge into the master branch. However, this process was not enforced by git branch protection settings.”

Supply chain security needs more than a tad of luck.

This time around, the attacker turned out to be an “anonymous contractor” working on Sushi’s repository who had injected malicious code into MISO’s front repo, according to the company’s CTO.

A few hours following the hack, I noticed the attacker’s $3 million wallet balance began dropping, starting with 100 Ethereum tokens that were deposited back into Sushi’s cryptocurrency reserve. That was when I started wondering, are the funds being returned by the oh-so-benevolent attacker?

Turns out, yes, the entirety of the funds were sent back by the attacker to the company within a day:

“The full funds were returned to the Operational Multisig after a period of discussion in quantities of 100 ETH, 700 ETH, and 65 ETH,” confirms Sushi in the same write-up. (Read more...)