Super Sushi Samurai Hack Analysis
Published in
2 min readApr 8, 2024
Overview:
On March 21, 2024, Super Sushi Samurai suffered an attack due to a double token transfer issue, leading to an approximate loss of over 4.8M USD.
Smart Contract Hack Overview:
- Attacker address: 0x6a89a8
- Vulnerable Contract: 0xdfdcdb
- Attack Contract:0xded85d
- Attack Transaction: 0x62e6b9
Decoding the Smart Contract Vulnerability:
- The attacker manipulated the transfer function by initiating transactions with both the sender and receiver addresses set to their own.
- The update function, triggered by the transfer, lacked the necessary checks, making it vulnerable to exploitation.
- Without differentiation between standard transfers and self-transfers, the update function effectively doubled the attacker’s token balance with each transaction.
- In the `postCheck` function, the `toBalance` calculation compounded the vulnerability by adding current `balances[to]` to the `amountAfterTax` values.
- Since both `balances[from]` and `balances[to]` were updated after `postCheck`, and with identical addresses in the transfer, they pointed to the same storage location.
- Consequently, balances[to] doubled with each transaction, allowing attackers to profit at the expense of Super Sushi Samurai and its users.
Mitigation and Best Practices:
- This easy but powerful action could have stopped the problem that caused tokens to double by mistake: require(from != to, “Both addresses cannot be the same.”);
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Conclusion:
SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord