Blast-based Game Loses Over $4 Million in Exploit

Reading Time: 2 minutes
  • A Blast-based game’s security has been exploited losing over $4 million
  • The hacker exploited a weakness in the game’s token transfer feature
  • The weakness doubles users’ tokens when the user transfers their entire balance

Web3 hackers are preying on newly-launched projects with Blast-based game Super Sushi Samurai (SSS) being the latest victim. The hacker exploited a weakness in the game’s token transfer function, enabling them to maliciously pocket over $4 million of user funds. According to smart contract developers, the shortcoming in the function allows users to double their holdings each time they move their entire balances, a weakness that may have been discovered by the project’s early users and not exactly people with smart contract hacking skills.

The Hacker has Been Co-operative

The SSS team has since contacted the attacker who was later discovered to be a white hat hacker. The team disclosed that the hacker “has been co-operative,” adding that they’re “working out a plan that” will favor all parties involved.

According to a post-mortem report, the white hat pocketed 1,310 ETH out of the total 1,339 ETH in the pool before the exploit. However, a black hat hacker was also able to scoop 40 ETH. Blockchain security firm CertiK estimated the total amount of funds siphoned to be $4.6 million.

The hack happened the day the game was expected to go live and a few days after the team launched the SSS token.

Hacker Rejects $1 Million Bounty

The hack comes three weeks after Blast, an Ethereum scaling layer, went live. Blast’s mode of operation attracted controversy when it asked prospective users to deposit funds into a bridge, months before the network went live.

In the recent past, hackers have been dictating the terms with some rejecting bounty offers of up to $1 million while others demand control of hacked protocols like in the case of PlayDapp and KyberSwap respectively.

Although the SSS team disclosed that the hacker has been cooperative, it’s unclear whether they’ve agreed on a bounty amount.