Cyber Incident Victim: SushiSwap
Date:
Sep 2021
Location:
United States of America
Summary
A supply chain attack on a decentralized finance platform's token launchpad involved a malicious code commit by an anonymous contractor with repository access, diverting approximately $3 million in Ethereum to an attacker's wallet during an auction. The exploit impacted a single auction, which was patched after detection. The platform engaged cryptocurrency exchanges to trace the perpetrator and initiated legal procedures, leading to the attacker returning the stolen funds to a designated multisig pool, likely due to law enforcement pressure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 16, 2021, SushiSwap’s Chief Technology Officer Joseph Delong disclosed a supply chain attack targeting the platform’s Minimal Initial SushiSwap Offering (MISO), a token launchpad enabling projects to issue tokens on the Sushi network. The attack originated from a malicious code commit pushed by an anonymous contractor with GitHub username AristoK3, who had access to SushiSwap’s code repository. This individual manipulated the platform’s front end by substituting the legitimate auction wallet address with their own, redirecting funds during token auctions. The exploit specifically impacted an automobile mart’s auction, allowing the attacker to siphon 864.8 Ethereum (approximately $3 million) to their wallet. Software supply chain attacks, as described in the incident, involve tampering with development processes to distribute compromised code, amplifying damage across dependent systems. Delong confirmed the attack’s mechanism via a since-deleted tweet, noting the insertion of the fraudulent wallet address occurred during auction creation. The hijacked funds were traced to the attacker’s wallet, which showed transactional activity indicating movement of the stolen cryptocurrency shortly after the breach.
SushiSwap responded by patching all affected auctions and collaborating with cryptocurrency exchanges Binance and FTX to obtain Know Your Customer (KYC) records linked to the attacker’s wallet. Binance publicly acknowledged investigating the incident and offered assistance. Delong issued an ultimatum demanding the funds’ return by 8:00 AM ET, threatening to involve the FBI via an IC3 complaint filed through lawyer Stephen Palley if unresolved. Subsequently, the attacker returned the stolen Ethereum to SushiSwap’s “Operation Multisig” pool, mirroring patterns observed in prior DeFi breaches like the Poly Network heist, where fear of legal repercussions prompted refunds. The incident underscored vulnerabilities in decentralized finance platforms’ reliance on external contractors and code repositories, though SushiSwap confirmed no additional auctions beyond the automobile mart’s were compromised. The resolution involved no permanent loss of funds due to the attacker’s restitution, but it highlighted operational risks in DeFi ecosystems’ supply chains and the role of centralized exchanges in tracing illicit transactions.