An auction for non-fungible tokes (NFT) on SushiSwap’s MISO platform was hacked yesterday. The hacker made off with $3 million worth of ethereum (ETH), SushiSwap CTO Joseph Delong reported on Sept. 16:
The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.
864.8 ETH was stolen, address belowhttps://t.co/cDZeBqFV4P
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
Delong reports that a certain ‘AristoK3’ injected “malicious code” into the front-end of the MISO launch pad to a supply chain to carry out an attack. The auction that was hacked was that of 2007 Kia Sedona’s Jay Pegs Auto Mart, NFT’s.
These NFTs were mainly meant as a joke, but became a whopping 864.8 ETH and that was probably less funny. The hacker had replaced the wallet address in the auction’s contract with his own wallet, Delong says. Jay Pegs Auto Mart reports that everyone will still receive their NFTs:
Hey folks. Everyone will still receive their 2007 Kia Sedona NFTs, and the exchange is still scheduled to begin on 9/21/2021. https://t.co/oYgqyHY8Jp
— Jay Pegs Auto Mart (@jaypegsautomart) September 17, 2021
According to Delong, this AritoK3 is a blockchain developer called ‘0x AK’ or ‘Eratos1122.’ It is currently unclear who that is, Delong claims he previously worked on Yearn Finance (YFI). SushiSwap has contacted cryptocurrency exchanges FTX and Binance to know-your-customer (KYC) to request information, but she did not want to hand it over for the time being.
Furthermore, Delong reports that if the stolen money is not returned by 1 p.m. Dutch time, attorney Stephen Palley will file a report with the Federal Bureau of Investigation (FBI). The deadline had actually passed, but Delong just reported that the hacker has returned 100 ETH, worth about $350 thousand. “Hopefully the rest will follow,” said Delong.
100 ETH has been returned to the Sushi multisig. Hoping the attacker sends the resthttps://t.co/PpvYCaIUeq https://t.co/Xz7uQiHRW9
— Joseph 🤝 Delong 🔱 (@josephdelong) September 17, 2021
The decentralized finance (DeFi) sector is still in its infancy and has seen many such attacks in the past year where someone exploited a flaw in the code to smart contract to empty. Earlier this week, the Zabu Finance platform was targeted.