The GameFi project Super Sushi Samurai (SSS), operating on Coinbase's Base Layer-2 blockchain and Telegram messaging app, faced a significant setback on March 21. A self-proclaimed white hat hacker discovered a dual identity within the project, prompting the withdrawal of $4.8 million from its liquidity pool. The incident was attributed to a glitch in the SSS contract's update function, identified by blockchain analytics firm CertiK.
CertiK highlighted that the vulnerability lies in the contract_update() function, which fails to properly update the balance when transferring to itself. As a result, when a user transfers their entire SSS token balance to themselves, the balance doubles. During the incident, a user initially purchased 690 million SSS tokens, transferred the entire balance to themselves, doubling it 25 times, and ultimately exchanged it for 11.5 trillion SSS tokens, equivalent to 1,310 ETH.
Following the discovery of the glitch, users who had double-spent their tokens initiated a white hat rescue hack, aiming to compensate affected users. Despite their good intentions, the actions of the self-proclaimed white hats led to the crash of the SSS token after withdrawing $4.8 million in funds. Prior to the incident, SSS had a total market capitalization of $27.75 million, but it has since lost over 99% of its value.
In response to the incident, the SSS developers acknowledged the white hat's efforts and expressed gratitude for their cooperation. This episode underscores the inherent risks associated with smart contract vulnerabilities and the potential for significant financial losses in the decentralized finance (DeFi) space. Notably, similar incidents have occurred in the past, such as the crash of new ERC-X token miners due to a double-spend glitch, resulting in losses exceeding $10 million.
