A non-fungible token (NFT) auction on the MISO token launchpad built on the SushiSwap platform appears to have been hacked, with the attacker making off with roughly $3 million in ether, SushiSwap Chief Technology Officer Joseph Delong tweeted Thursday.
- Delong said that an anonymous contractor using the Github handle “AristoK3″ injected malicious code into Miso’s front end in a supply chain attack. He added the link to an Ethereum address showing ETH 864.8 transferred at approximately 16:00 UTC on Thursday.
- Etherscan has identified the address as part of an exploit.
- Supply chain attacks happen when a malicious actor changes a contract address to one they control. That type of attack can occur with open-source software libraries, according to the U.S. National Counterintelligence and Security Center.
- Only one contract appears to have been exploited, according to Delong, for the JayPegsAutoMart NFT sale.
- Delong said SushiSwap “has reason to believe” the attacker was eratos1122, linking to a Twitter account that identifies as a blockchain and mobile games developer.
- SushiSwap has asked crypto exchanges FTX and Binance, to hand over the hacker’s know-your-customer information of the individual.
- CoinDesk hasn’t been able to independently verify the attacker’s identity as of press time.
- If the funds are not returned by 12:00 UTC, the DeFi exchange will file a complaint with the FBI, Delong said.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.