$3M in Ether Stolen From SushiSwap’s MISO Launchpad

A non-fungible token (NFT) auction on the MISO token launchpad built on the SushiSwap platform appears to have been hacked, with the attacker making off with roughly $3 million in ether, SushiSwap Chief Technology Officer Joseph Delong tweeted Thursday.

• Delong said that an anonymous contractor using the Github handle “AristoK3″ injected malicious code into Miso’s front end in a supply chain attack. He added the link to an Ethereum address showing ETH 864.8 transferred at approximately 16:00 UTC on Thursday.
• Etherscan has identified the address as part of an exploit.
• Supply chain attacks happen when a malicious actor changes a contract address to one they control. That type of attack can occur with open-source software libraries, according to the U.S. National Counterintelligence and Security Center.
• Only one contract appears to have been exploited, according to Delong, for the JayPegsAutoMart NFT sale.
• The attacker, who has done work with decentralized finance (DeFi) protocol yearn.finance, replaced the auction’s wallet address with their own, Delong said.
• Delong said SushiSwap “has reason to believe” the attacker was eratos1122, linking to a Twitter account that identifies as a blockchain and mobile games developer.
• SushiSwap has asked crypto exchanges FTX and Binance, to hand over the hacker’s know-your-customer information of the individual.
• CoinDesk hasn’t been able to independently verify the attacker’s identity as of press time.
• If the funds are not returned by 12:00 UTC, the DeFi exchange will file a complaint with the FBI, Delong said.