- A Blast-based game’s security has been exploited losing over $4 million
- The hacker exploited a weakness in the game’s token transfer feature
- The weakness doubles users’ tokens when the user transfers their entire balance
Web3 hackers are preying on newly-launched projects with Blast-based game Super Sushi Samurai (SSS) being the latest victim. The hacker exploited a weakness in the game’s token transfer function, enabling them to maliciously pocket over $4 million of user funds. According to smart contract developers, the shortcoming in the function allows users to double their holdings each time they move their entire balances, a weakness that may have been discovered by the project’s early users and not exactly people with smart contract hacking skills.
The Hacker has Been Co-operative
The SSS team has since contacted the attacker who was later discovered to be a white hat hacker. The team disclosed that the hacker “has been co-operative,” adding that they’re “working out a plan that” will favor all parties involved.
According to a post-mortem report, the white hat pocketed 1,310 ETH out of the total 1,339 ETH in the pool before the exploit. However, a black hat hacker was also able to scoop 40 ETH. Blockchain security firm CertiK estimated the total amount of funds siphoned to be $4.6 million.
1. Post-mortem:
The token contract has a bug where transferring your entire balance to yourself doubles it. h/t @coffeexcoin2. Damage details:
total eth in pool before exploit: 1339.50 ETH
Whitehat: 1,310.04 ETH
Blackhat : 40.28 ETH
we remove LP and got: 29.09 ETH3. Update:…
— Super Sushi Samurai | SSS (@SSS_HQ) March 22, 2024
The hack happened the day the game was expected to go live and a few days after the team launched the SSS token.
Hacker Rejects $1 Million Bounty
The hack comes three weeks after Blast, an Ethereum scaling layer, went live. Blast’s mode of operation attracted controversy when it asked prospective users to deposit funds into a bridge, months before the network went live.
In the recent past, hackers have been dictating the terms with some rejecting bounty offers of up to $1 million while others demand control of hacked protocols like in the case of PlayDapp and KyberSwap respectively.
Although the SSS team disclosed that the hacker has been cooperative, it’s unclear whether they’ve agreed on a bounty amount.
