Spirit Trace Security: “White Hat Rescue Operation” Recovered 109,000 ETH

Users who are familiar with the DeFi ecology have heard of Sushi, which is a well-known decentralized exchange in the DeFi ecology, and Uniswap is the top- tier exchange project in the circle. However, unlike Uniswap’s vertical development path, which focuses on trading, Sushi also focuses on layout in other areas in addition to exchanges.

Auctions are the areas that Sushi has laid out in addition to exchanges. And MISO is a token sale platform developed by Sushi. This platform was launched in February this year and has been in operation for more than 6 months so far, and the overall operation is in a relatively stable condition.

But just in the early morning of August 18th, Beijing time, several overseas white hat hackers discovered a security flaw in the MISO platform contract, and jointly rescued 109,000 ETH (about 350 million US dollars) from the crowdfunding pool , so that Sushi avoided A potential disaster.

In terms of monetary value, I am afraid that this joint operation is the “largest white hat rescue operation” in the history of DeFi development. The white hat rescue operation led to the early termination of the ETH fund pool in the Dutch auction conducted by BitDAO on the MISO platform.

Although the incident was properly resolved and did not cause a major disaster, the incident still left us with many questions and lessons worth pondering.

The detailed analysis of this vulnerability by Lingzong Security is as follows:

The security breach this time is MISO’s Dutch auction contract. The auction contract address is:


In the contract, the first loophole is the delegatecall function call.

The transaction executed by the delegatecall function is passed in from outside. This contract code calls delegatecall so that the msg.value will not change when each transaction is executed, so the caller can use this vulnerability to pay an auction fee and submit multiple auction orders of the same amount, which is equivalent to free Participated in many auctions.

This part of the code is in the BoringBatchable.sol file, the specific code is as follows:


In addition, the refund logic of the contract amplifies the attack power of the vulnerability.

When the auction exceeds the upper limit, that is, the auctionSuccessful() condition is established, the contract will execute a refund. This logic combined with the above loopholes produced this scenario:

The attacker participates in the auction for free, and sets the auction amount to exceed the upper limit, which triggers the refund of the contract and takes away the funds of other users in the auction.

The refund logic is implemented by the withdrawTokens() function in the DutchAuction.sol contract. The specific code is as follows:


The most noteworthy part of this security vulnerability is that it has been recognized in the circle for a long time, and it is not a newly discovered vulnerability. Therefore, its manifestations and characteristics are easy to discover for mature auditing companies. Such vulnerabilities can be discovered through auditing, without waiting for the contract to go online to take such a big risk. After all, not every project can be so lucky to get the help of a white hat hacker. However, a detailed contract audit of each project before it goes live is something that every project team should and must do.

Therefore, we once again remind all project parties that a good project audit is the first element to ensure the development of the project. Lingzong Security will always provide practical and comprehensive services to the project team with a rigorous attitude and professional skills.

About Lingzong Security:

Lingzong Security Technology Co., Ltd. is a company that focuses on blockchain ecological security. Lingzong Security Technology has mainly served many emerging and well-known projects through the integrated comprehensive program of “code risk detection + logic risk detection”. The company was established in January 2021. The team was created by a team with rich experience in smart contract programming and network security.

Team members participated in initiating and submitting a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, and ERC-2794, of which ERC-2569 was officially income by the Ethereum team.

The team participated in the initiation and construction of a number of Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges and other projects, and participated in the security audits of multiple projects, based on this Based on the team’s rich experience, a complete vulnerability tracking and security prevention system has been built.


Tan Yuefei, CEO of Lingzong Security

Master of Industrial Engineering (Virginia Tech, Blacksburg, VA, USA). Served as a software engineer at AIBT Inc (San Jose, CA, USA), a Silicon Valley semiconductor company in the United States, responsible for the development of the underlying control system, the program implementation of the equipment manufacturing process, the design of the algorithm, and the comprehensive technical docking and communication with TSMC. Since 2011, he has been engaged in the research of embedded, Internet and blockchain technology. He is a teacher of the “Blockchain Introduction” course at the Entrepreneurship College of Shenzhen University, a visiting researcher at the Blockchain and Intelligence Center of Sun Yat-sen University, and an executive director of the Guangdong Financial Innovation Research Association. He owns 4 blockchain-related patents and 3 published works.


Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/spirit-trace-security-white-hat-rescue-operation-recovered-109000-eth/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-08-19 11:25
Next 2021-08-19 11:29

Related articles