The Super Sushi Samurai (SSS) game experienced a catastrophic security breach, resulting in a 99.9% drop in its token value.
A double-spending glitch was exploited within the game, leading to unauthorized withdrawals totaling $4.8 million from its liquidity pools. This vulnerability, identified in the project’s smart contracts, allowed users to manipulate their token balances.
We have been exploited, it’s mint related. We are still looking into the code. Tokens were minted and sold into the LP.
Transaction:https://t.co/F4XeqdyJu2the exploited funds are in this wallet: https://t.co/NWeTu5vMkj
— Super Sushi Samurai | SSS (@SSS_HQ) March 21, 2024
“We have been exploited, it’s mint related. We are still looking into the code. Tokens were minted and sold into the LP,” Super Sushi Samurai stated on social media.
Double-Spending Glitch with $4.8 Million Loss
According to a Yuga Labs solidity and backend developer “Coffee,” the liquidity pool on the Blast network was depleted due to a flaw in their token contract that caused users’ balances to double when they transferred their entire balance to themselves.
The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.
The order of operations decrements the balance for “from” and then sets the balance for “to” – if these are the same address, the… pic.twitter.com/RStMcFH3sy
— Coffee ☕️🍌 (@coffeexcoin) March 21, 2024
“The order of operations decrements the balance for ‘from’ and then sets the balance for ‘to,’” said Coffee. “If these are the same address, the ‘toBalance’ does not take into affect the decrement of ‘amount’ and just overwrites the balance with the initial balance + transferred amount.”
“Attacker was able to get 1310 ETH from the LP by doubling their balance repeatedly and then selling it all,” said Coffee.
Statistics on CoinGecko showed that the trading price of SSS tokens has plunged over 99.9% since the discovery of the glitch.
On-chain Message Says It’s “White Hat Rescue”
However, an on-chain message claimed that the exploit was initiated by a white hat.
This has been a white hat rescue. https://t.co/4oKl8IPkJW https://t.co/2jehYaeJJ0 pic.twitter.com/ZMxbpZ9jbt
— sudo rm -rf –no-preserve-root / (@pcaversaccio) March 21, 2024
“Hi team, this is a whitehat rescue hack. Let’s work on reimbursing the users. Please reach out via Blockchain chat from the SSS deployer…” the message reads.
The SSS Team has then responded to the message, saying, “Hello white hat, we have reached out to you on Blockscan. Thank you for cooperating with us.”