News talk

SushiSwap Finds Vulnerability and Fixes It Saving A Potential $350 Million Loss

First, using msg.value in complex systems is hard. It’s a global variable that you can’t change and persists across delegate calls. If you use msg.value to check that payment was received, you absolutely cannot place that logic in a loop. As a codebase grows in complexity, it’s easy to lose track of where that happens and accidentally loop something in the wrong place. Although wrapping and unwrapping of ETH is annoying and introduces extra steps, the unified interface between WETH and other ERC20 tokens might be well worth the cost if it means avoiding something like this. Second, safe components can come together to make something unsafe. I’ve preached this before in the context of composability and DeFi protocols, but this incident shows that even safe contract-level components can be mixed in a way that produces unsafe contract-level behavior. There’s no catch-all advice to apply here like “check-effect-interaction,” so you just need to be cognizant of what additional interactions new components are introducing.

Liquid Global Hacked for ~$90 Million

This time, the MPC wallet (used for warehousing / delivery management of cryptographic assets) used by our Singapore subsidiary QUOINE PTE was damaged by hacking. The impact on us is currently being confirmed.

The cold wallet used for segregation management is safe, and no impact on the assets entrusted to us by our customers has been confirmed.

Under these circumstances, we will suspend the warehousing and withdrawal of cryptographic assets until the security of all wallets is confirmed.

We are still investigating the details, so we will contact you by email or Twitter if there is a resumption of warehousing / delivery of crypto assets and progress in the situation.

MPC is an advanced cryptographic technique in which the private key controlling funds is generated collectively by a set of parties, none of whom can see the fragments calculated by the others. Liquid Global's blog post did not explain how this security arrangement was circumvented.

Cybercrime Group Offering $1 Million in Bitcoin to Target Employees to Deploy Ransomware on Their Company Networks