As exploits and hacks run rampant across the DeFi ecosystem, at least one project appears to have fended off the worst of an attack — the once-maligned “vampire” AMM (automated market maker) exchange Sushiswap.
Observers noticed last night that Sushiswap — which got its start leeching liquidity from rival AMM Uniswap — was experiencing an exploit, and that anonymous head developer 0xMaki was taking steps to mitigate it:
tx with message from 0xMakihttps://t.co/1MdXqw9chq
— JuanSnow (@Juan_Snow1) November 29, 2020
Reports from the Sushiswap Discord channel now indicate that the exploit has been resolved, and that all lost user funds (between $10,000 and $15,000) will be covered by the Sushiswap treasury.
To gain a better understanding of the exploit and what it means for Sushiswap, Cointelegraph spoke to one of the smart contract engineers that 0xMaki personally thanked on Twitter for helping to mitigate its effects: self-described “DeFi degen” and solidity developer ‘andy.’
Post-Mortem when I wake up, exploiter got around 10-15k so far from the 0.05% fees cut of Sushiswap.
LP – xSushi holders are safe!
More soon! https://t.co/QmhNMTP28L
— 0xMaki 源 義経 (@0xMaki) November 29, 2020
According to andy, 0xMaki contacted him at 10pm EDT.
“He (0xMaki) said there was some weirdness going on but was unsure what it was. We spent about 1 hour in a discord call going through transactions until we figured out what the exploit was.”
Andy explained that the attacker wrapped liquidity pool tokens and deployed them to a new pool, allowing the attacker to execute “really weird logic to pull the underlying tokens from the reward contract.”