$5 Million Hack: Sushi Samurai Funds Drained Due to Vulnerability

March 22, 2024 Gideon Geoffery

A hacker drained $5 million from Super Sushi Samurai after detecting a double-spending vulnerability.

The token of the Blast-based Telegram game lost 99% in the wake of the attack. The project confirmed the attack and added that the drain took place on its liquidity provider (LP) wallet. Additionally, it revealed that the attack was mint-related.

As per the announcement on telegram, the project said; “We have been exploited, it’s mint related. We are still looking into the code. Tokens were minted and sold into the LP.”

The hack happened barely a week after the Sushi Samurai launched its SSS token on March 17. The attack also coincides with when the sushi plans to offer the game.

More on Sushi Samurai Vulnerability

A dev from Yuga Lab pointed out the exploit and explained the hacker was using a bug in Sushi Samurai’s code that made it possible to physically balance their accounts with self-transfers.

The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.
The order of operations decrements the balance for "from" and then sets the balance for "to" – if these are the same address, the… pic.twitter.com/RStMcFH3sy
— Coffee ☕️🍌 (@coffeexcoin) March 21, 2024

The hacker who performed this operation about 25 times increased the balance by two increments, and finally 1310 ETH was cashed out.

Fortunately, the hacker demonstrated an ethical duty by seeking out Sushi Samurai team. On the BlastScan message, the hacker explained the mission as a “white-hat hacking rescue.”

“Greetings everyone, here is a white hat rescue hack, let’s concentrate on refunding the users.” Blockscan sender, please talk to our SSS deployer,” the hacker just said.

The Sushi Samurai team recognized their communication with the hacker as well as their determination to solve the issue.

Financial Impact and Parallels

As a consequence of the hack, the SSS coin price fell to $0.00000000001919 in a split second, which means the loss was more than 99% of its previous value, and the market cap dropped from $27 million to zero in an instant.

This situational analogy took place just two months before the Ethereum ERC token Minex suffered a 99% drop in price, which was triggered by a code flaw of the same nature.

That attacker’s tactics involved exploiting a double-spend vulnerability which then totaled $10 million in losses.