The Super Sushi Samurai (SSS) game encountered a severe security breach, causing a staggering 99.9% decline in its token’s value.
Exploiting a double-spending glitch within the game, unauthorized withdrawals amounting to $4.8 million were made from its liquidity pools. This vulnerability, stemming from flaws in the project’s smart contracts, enabled users to manipulate their token balances.
We have been exploited, it's mint related. We are still looking into the code. Tokens were minted and sold into the LP.
Transaction:https://t.co/F4XeqdyJu2the exploited funds are in this wallet: https://t.co/NWeTu5vMkj
— Super Sushi Samurai | SSS (@SSS_HQ) March 21, 2024
Super Sushi Samurai announced on social media, “We’ve been exploited, and it’s related to minting. We’re currently investigating the code. Tokens were minted and sold into the LP.”
Loss of $4.8 Million Due to Double-Spending Flaw
As per a statement from “Coffee,” a solidity and backend developer at Yuga Labs, the liquidity pool on the Blast network was drained because of a flaw in their token contract. This flaw resulted in users’ balances doubling when they attempted to transfer their entire balance to themselves.
The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.
The order of operations decrements the balance for "from" and then sets the balance for "to" – if these are the same address, the… pic.twitter.com/RStMcFH3sy
— Coffee ☕️🍌 (@coffeexcoin) March 21, 2024
“The order of operations decrements the balance for ‘from’ and then sets the balance for ‘to,'” explained Coffee. “If these are the same address, the ‘toBalance’ does not account for the decrement of ‘amount’ and simply replaces the balance with the initial balance plus the transferred amount.”
“The attacker managed to obtain 1310 ETH from the LP by repeatedly doubling their balance and then selling it all,” Coffee added.
Statistics on CoinGecko indicate that the trading price of SSS tokens has plummeted by over 99.9% since the glitch was discovered.
An on-chain message indicates it’s a “White Hat Rescue” effort.
Nevertheless, an on-chain message asserted that the exploit was instigated by a white hat hacker.
This has been a white hat rescue. https://t.co/4oKl8IPkJW https://t.co/2jehYaeJJ0 pic.twitter.com/ZMxbpZ9jbt
— sudo rm -rf –no-preserve-root / (@pcaversaccio) March 21, 2024
The message left on the chain begins with a seemingly contradictory blend of terms: “whitehat rescue hack.” This suggests that the exploit was carried out with the intention of rescuing or mitigating harm rather than for malicious purposes. It calls on the team to collaborate on reimbursing affected users, indicating a sense of responsibility and a commitment to rectify the situation.
The response from the SSS Team is appreciative and acknowledges the sender as a “white hat,” a term commonly used to refer to ethical hackers who use their skills to uncover vulnerabilities and improve security. Their response indicates a willingness to engage and work together toward resolving the issue. By reaching out via Blockscan, a platform for blockchain exploration, they demonstrate a proactive approach to communication and collaboration in addressing the aftermath of the exploit.