GameFi project Super Sushi Samurai (SSS), built on Coinbase’s Base layer-2 blockchain and the Telegram messaging app, saw a $4.8 million withdrawal on March 21 from its liquidity pools by a self-proclaimed white hat upon the discovery of a double spending glitch.
In a statement to Cointelegraph, blockchain analytics firm CertiK noted that “the vulnerability is within the [SSS] contracts _update() function, which doesn’t correctly update balances when transferring to self.” So, when a user transfers their entire balance of SSS tokens to themselves, the resulting balance is doubled.
The @SSS_HQ $SSS LP was just drained on blast because their token contract has a bug where transferring your entire balance to yourself doubles it.
The order of operations decrements the balance for “from” and then sets the balance for “to” – if these are the same address, the… pic.twitter.com/RStMcFH3sy
— Coffee ☕️ (@coffeexcoin) March 21, 2024
CertiK noted that during the incident, one user, operating the address 0x786C8f95C17BB990a040dc4D6539B01FC1b72842, initially purchased 690 million SSS tokens, transferred the entirety of the balance to themselves, doubled it 25 times, and finally ended “with 11.5 trillion SSS tokens which were then sold for 1,310 ETH (~$4,590,827).”
Shortly after the incident, the user who double-spent the tokens stated in a blockchain message:
“Hi team, this is a whitehat rescue hack. Let’s work on reimbursing the users. Please reach out via Blockscan chat from the SSS deployer 0x555b28f3b8b3b8ebd1b06997c2078fd94529f555 on Ethereum mainnet.”
Despite their goodwill, however, it is worth noting that the self-proclaimed white hat led to the collapse of the SSS token after withdrawing $4.8 million in funds. Prior to the collapse, SSS had a total market cap of $27.75 million. The tokens have since lost over 99% of their value. The same day, SSS developers responded:
“Hello, white hat; we have reached out to you on Blockscan. Thank you for cooperating with us. SSS Team.”
Just one month prior, the novel ERC-X token Miner crashed 99% after a user discovered a double-spending glitch that led to the infinite minting of tokens. “It’s a pity that the contract has low-level loopholes. You can double your balance by transferring money to yourself,” said Yu Xian, co-founder of Singaporean blockchain security firm SlowMist, regarding the incident. The glitch led to user losses of over $10 million.
Related: KyberSwap attacker used ‘infinite money glitch’ to drain funds — DeFi expert