We hit a new low. A blue-chip rekt by a front-end attack.
A developer who had been contracted to work on the MISO auction for “JayPegs Automart” inserted his own wallet address into the contract instead of the auctionWallet.
Remind us, which part of crypto is supposed to be “trustless”?
Misplaced faith cost MISO $3.1 million.
The aftermath was more aggressive than usual.
In a since deleted tweet, Sushi CTO Joseph DeLong went public with his suspicions, doxxing the developer he believed to be responsible.
The Miso front end has become the victim of a supply chain attack. An anonymous contractor by with the GH handle AristoK3 injected malicious code into the Miso front end. We have reason to believe this is @eratos1122.
Eratos1122 protested, but the Sushi team had made their case, and they refused to back down.
DeLong had attached the resume, personal website, Facebook profile, email address and invoice details of eratos1122 into a public Google doc.
After a few hours of these details being made public, and following threats from the Sushi team to involve the FBI, the money was returned. (865.094 of 864.8 ether, more than was originally stolen)
The doxx document is now private, however some of the contents are detailed below.
We’ll let the rekt readers decide why the funds were returned.
Hacker OG address - 0x3dDD8b6D092df917473680d6C41F80F708C45395
0xe5f funded by: 0xba6f4f83329b9500672c6955fd5082c9434aaf74
0xba6f funded by: 0x482c9f85644f1686c490d38291511657da767e61
When whitehat developers switch hats to black, they often forget to cover their tracks.
Doxxing somebody like that is a serious step to take, and the Sushi team / Joseph DeLong must have had a lot of conviction in order to be so public with their accusation.
The tweets and documents may no longer be available, but the Sushi and Jaypeg team still seem confident that their suspicions were correct.
Until now, Eratos1122 had earned a decent reputation in the space, and his Github shows a lot of experience. Whether the accusations against him are truthful or not, this incident will not be forgotten.
Another close call for Sushiswap, who have appeared in rekt.news in the past, but always seem to escape total disaster.
However, regardless of refund, a hack is a hack, and this one’s going on the leaderboard.
Meanwhile, at Jaypegs Automart, forced memes are 20% off!!!
Terms and conditions apply.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
In just one year, Bored Ape Yacht Club has evolved from a niche NFT, into a whole ecosystem, and a mainstream means of flexing wealth. The rise of BAYC has been unstoppable, but the recent Otherdeeds mint was far from perfect. What's next for BAYC?
Swiggity swooty, somebody plundered the Treasure DAO booty. ~$1.4M worth of NFTs has been stolen from the largest NFT marketplace on Arbritrum, leaving the OpenSea competitor stranded in deep water.
The Banksy Pranksy Scam caught the attention of even the mainstream media, but nobody tried to find the truth. Was it a publicity stunt, or "performance art"? We stop and search the suspects to find out more.