Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
SushiSwap's BentoBoxv1 contract was attacked, and the hacker made a profit of about $26,000. According to analysis, the attack is due to the Kashi Medium Risk ChainLink price update later than the mortgage/loan. In the two attack transactions, the attacker flashloaned 574,275 and 785,560 xSUSHI respectively. After mortgage and loan, the price of kmxSUSHI/USDT in LINK Oracle dropped by 16.9%. By exploiting this price gap, the attacker can call the liquidate() function to liquidate and obtain 15,429 and 11,333 USDT. Attack method (per SlowMist): Price Manipulation. Reported loss: $ 26,000.
- chain
- —
- protocol
- SushiSwap
- bug_class
- oracle
- date_occurred
- 2023-02-10
- loss_usd
- $26,000
- source_id
- sm:sushiswap::2023-02-10