$3 million cryptocurrency heist stemmed from a malicious GitHub commit

September 20, 2021 By Ax Sharma

4 minute read time

SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply chain attack, as I reported on Friday.

By making just one malicious code commit to Sushi's private GitHub repository called "miso-studio," the attacker could alter the front-end for the company’s auction site, and replace the authentic wallet address with their own.

As such, the 864.8 Ethereum tokens – currently worth approximately $3 million in cash – collected for an automobile auction were diverted to the attacker's wallet once the auction was finalized.

Sushi released a brief postmortem report of the incident, attributing the problem to a slip in their Git procedure:

"On Friday, September 17, Miso suffered a supply chain exploit, whereupon the fund wallet address was fixed to [the attacker's wallet] for ETH and WETH (Ethereum format) auctions."

"The studio repo had a procedure to open PRs on the dev branch and go through review to merge into the master branch. However, this process was not enforced by git branch protection settings."

Supply chain security needs more than a tad of luck

This time around, the attacker turned out to be an "anonymous contractor" working on Sushi's repository who had injected malicious code into MISO's front repo, according to the company’s CTO.

A few hours following the hack, I noticed the attacker's $3 million wallet balance began dropping, starting with 100 Ethereum tokens that were deposited back into Sushi's cryptocurrency reserve. That was when I started wondering, are the funds being returned by the oh-so-benevolent attacker?

Turns out, yes, the entirety of the funds were sent back by the attacker to the company within a day:

"The full funds were returned to the Operational Multisig after a period of discussion in quantities of 100 ETH, 700 ETH, and 65 ETH," confirms Sushi in the same write-up. The recovered funds are due to be forwarded to their rightful owner, the automobile company who had run the auction.

The incident has echoes of the recent Poly Network heist in which a threat actor had stolen $611 million worth of assets from the cryptocurrency network by exploiting a security vulnerability. After warning the attacker of the possibility of legal repercussions, the network was able to successfully recover the funds.

But this may not be the case every time, especially when advanced threats breach the software supply chain. For example, ransomware gangs are experienced with conducting large-scale negotiations, and a quick discussion or mere legal threat may not be enough to convince them to work out a solution.

Sushi has now added Git breach protections, including for administrator accounts and master/main branches, mandating a pull request approval and signature policy. The company is additionally in the process of integrating supply-chain security tooling and "automated diff checker implementations" to prevent such incidents from happening again.

And, this isn't the only DevSecOps incident of this month either. Last week, a flaw in the continuous integration, continuous delivery (CI/CD) tool Travis CI potentially exposed secrets — credentials and API keys for thousands of open source projects relying on it for over a week. During this period, any attacker could craft a pull request to exfiltrate such secrets for all GitHub projects using Travis.

Supply chain attacks up by 650% and expected to grow

Next-generation software supply chain attacks like these have increased dramatically in the past year, according to Sonatype's 2021 State of the Software Supply Chain report. Malicious actors are constantly moving upstream to infiltrate open source software and cause widespread damage.

As such, with supply-chain vulnerabilities like these, security professionals are constantly racing against cybercriminals and time to be proactive.

And the same goes for developers building world-class software applications.

Manually monitoring Common Vulnerabilities and Exposures (CVE) feeds and hard-to-find vulnerability disclosures, and then applying mitigations are no longer feasible, when your time should be going towards doing what you love: building kick-ass software.

Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from vulnerabilities and malware.

---

EDITOR’S NOTE: A $12 million attack happened just before publish in the DeFi platform pNetwork via a vulnerability exploit.

---

Photo credit: Yancy Min

Tags: vulnerabilities

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.