SushiSwap MISO redirected auction proceeds
A contractor with MISO front-end access changed an auction payout address in September 2021. The malicious commit redirected 864.8 ETH before the funds were returned.
Story
SushiSwap's MISO launchpad was attacked through source control, not through a smart-contract bug. A contractor account with access to the front-end repository changed the address used by the Jay Pegs Auto Mart auction.
The change was small and direct. The front end sent auction proceeds to an attacker-controlled address, moving 864.8 ETH, roughly $3 million at the time. Users were trusting the application surface to point at the right contract path.
Sushi leadership described the incident as a supply-chain attack because the attacker used the project's own repository and deployment path. The malicious code entered the product as a code contribution, not as traffic manipulation after deployment.
The funds were later returned to the operational multisig after public pressure and direct handling by Sushi. The archive keeps the record because the delivery method matters even when the money came back.
Affected Artifacts
- Observed
- 2021-09-17
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- mirror: github.com/sushiswap/miso, account: AristoK3, observable: Front-end code changed auction payout address to attacker-controlled wallet.
Incident Context
- Motive
- Cryptocurrency Theft
- Attribution
- Maintainer
- Cause
- Insider Threat
- Transitive
- No
- Actor
- Insider
- User Impact
- 1
External References
- Cryptocurrency launchpad hit by $3 million supply-chain attackarstechnica.com
- Sushi DeFi exchange hit by $3 million supply chain attackbleepingcomputer.com
- The MISO Front End Exploit and How We Mitigated Itforum.sushi.com
Source record: oss/attacks/miso-sushiswap/meta.yaml