Delay in SushiSwap Listing. Security Breach Averted!

We have had to delay the Listing Announcement on SushiSwap due to a breach in our Eth. token contracts. The details of the contract breach have been mentioned below.

Bridging contract for Poly <> Eth. worked with a lock/unlock, burn/mint functionality.

  1. If the user wants to bridge their tokens from the Ethereum chain to the Polygon chain, they will have to call the [deposit()](<https://github.com/getsafle/bridging-contract/blob/main/contracts/FxBaseRootTunnel.sol#L77>) function in the FxBaseRootTunnel contract.
  2. The deposit() function will call the [burn()](<https://github.com/getsafle/bridging-contract/blob/main/contracts/eth%20token/Safle.sol#L34>) function from the Ethereum token contract.
  3. The burn(address, amount) should accept the address from where the tokens are to be burnt and the amount of tokens to be burnt.
  4. The burn(address, amount) function should have a condition check to allow only the FxBaseRootTunnel contract to call that function and that check that was not present.

On Monday January 17, 2022 we deployed test liquidity on SushiSwap Liquidity Pool. Within minutes the attacker burnt SAFLE tokens in the SushiSwap Liquidity Pool in multiple transactions, draining 480,853 SAFLE

  1. https://etherscan.io/tx/0xf7ea4e662a664e7e0451fffcd61de94456f4958e858b12c3d4bfa568750e04e3
  2. https://etherscan.io/tx/0xeadde0c3097f35aadca90b534affdc56ebba05b236a6b60c2e80e7235bc619e9
  3. https://etherscan.io/tx/0xb138df86c55a82cd46d15e890924101c3a8a47793c52fa5282ef022542a46011
  4. https://etherscan.io/tx/0xfe7a1b4408df1256dcba685970aa42c806fce462eed211b58ed260c9d0013194

This inflated the price of SAFLE and the attacker swapped SAFLE/WETH in a transaction. Since the tokens had been burned, the attacker was able to convert 56.88 SAFLE to 16.04 WETH.

Here are more details of the incident as captured by the blockchain explorer: https://etherscan.io/tx/0xd457aeb845985c415decb5e1bec2c90a8ce8e3191a54f9e85168a608c84d1ef4

https://etherscan.io/tx/0xd457aeb845985c415decb5e1bec2c90a8ce8e3191a54f9e85168a608c84d1ef4Transaction of the Exchange

https://etherscan.io/address/0x7b1088a749c868017f8ba34ea10e761288c6a509 — Address of The Attacker

https://etherscan.io/tx/0xa015c1af7ad9a297b1e0b93cc28c0bc25037e10958f415cdb1ff1151c00ead3fSeeding Money on the Attacker Account

https://etherscan.io/tx/0xf7ea4e662a664e7e0451fffcd61de94456f4958e858b12c3d4bfa568750e04e3Burn Call

Figure- Bridging-contract/contracts/eth token/Safle.sol.

The burn method used for an attack. Due to lack of the ‘caller checking’ it can be called by anyone.

There was a lapse in the audit by Smart State as they were unable to flag the vulnerability in the token contract. They didn’t point to that part so this is the communication level issue.

The best part is that the vulnerability has now been resolved. More details are given here — https://github.com/getsafle/bridging-contract/pull/8.

Figure- The vulnerability resolved.

Even though the SushiSwap Liquidity Pool deployment was never officially announced or promoted by our channels. We apologise for any inconveniences caused in the process. This can be avoided with more eyes on, as well as a re-think in developer procedures and peer-review. We assure our community that we will further investigate and compensate for any personal losses.

Figure- Hacker’s Track

We’ll announce a new date for SushiSwap Listing soon. It won’t take too long! Thanks all for your patience and support once again, there’s only one way forward.

Team Safle

--

--

--

Next-gen crypto wallet and blockchain infra. provider for the decentralised ecosystem, governed by the community.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Identity Theft Fraud Affecting Kids Without Parents Even Knowing it | USA Reviews Websites

What is MultiSig Wallet?

Improving SOC Operations in the Covid World

FalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1C

Purchasing an Alienware was the biggest mistake I have ever made!

Ankot of Misteria Airdrop Giveaway 20,800 ANKT Tokens + 1 Ankot NFT

Building protection directly into programming code

Deposit and Withdraw STORJ token on Wollito.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Safle

Safle

Next-gen crypto wallet and blockchain infra. provider for the decentralised ecosystem, governed by the community.

More from Medium

Infinity Education: The Rise of Digital Land Ownership and The Metaverse

THE CONCEPT OF VIRGO ROADMAP EXPLAINED

CRODO’s STAKING AND TITLES

Virgo; Building A Better Internet