The Super Sushi Samurai (SSS) GameFi project, which operates on Coinbase’s Base layer-2 blockchain and the Telegram messaging app, experienced a significant security breach on March 21. A self-proclaimed white hat hacker identified a double-spending glitch and managed to withdraw $4.8 million from the project’s liquidity pools.
Blockchain analytics firm CertiK analyzed the vulnerability and stated that it was found within the SSS contract’s “_update()” function, which failed to properly update balances when transferring tokens to oneself. This glitch resulted in the doubling of the user’s balance when they transferred their entire SSS token balance to themselves.
During the incident, a user with the address 0x786C8f95C17BB990a040dc4D6539B01FC1b72842 initially purchased 690 million SSS tokens. They then proceeded to transfer the entire balance to themselves, doubling it 25 times. Ultimately, they ended up with 11.5 trillion SSS tokens, which were subsequently sold for 1,310 ETH (equivalent to approximately $4,590,827).
Following the incident, the user responsible for the double-spending attack posted a message on the blockchain, expressing their intentions were not malicious.
However, despite their claimed goodwill, it is important to note that the actions of the self-proclaimed white hat hacker led to the collapse of the SSS token, resulting in the loss of $4.8 million in funds. Prior to the collapse, the SSS token had a total market capitalization of $27.75 million. Since then, the tokens have lost over 99% of their value. The developers of SSS responded to the incident.
This incident is reminiscent of a similar occurrence just a month earlier, when the ERC-X token Miner experienced a 99% crash due to a user discovering a double-spending glitch that allowed for the infinite minting of tokens. Yu Xian, co-founder of Singaporean blockchain security firm SlowMist, commented on the incident, highlighting the low-level loopholes in the contract that enabled users to double their balance by transferring funds to themselves. This glitch resulted in losses of over $10 million for users.
In a related incident, an attacker exploited an “infinite money glitch” to drain funds from KyberSwap, further emphasizing the importance of addressing and preventing such vulnerabilities in decentralized finance (DeFi) platforms.