Super Sushi Samurai (SSS), a GameFi project, recently experienced a significant setback when a self-proclaimed white hat hacker exploited a double-spending glitch and made a $4.8 million withdrawal from its liquidity pools. The project, which operates on Coinbase’s Base layer-2 blockchain and the Telegram messaging app, fell victim to a vulnerability in the SSS contracts’ update() function. This flaw causes an incorrect update of balances when transferring tokens to oneself, resulting in a doubled balance.
The incident involved a user with the address 0x786C8f95C17BB990a040dc4D6539B01FC1b72842, who initially purchased 690 million SSS tokens and proceeded to transfer the entire balance to themselves. They repeated this process 25 times, ultimately accumulating 11.5 trillion SSS tokens, which they then sold for 1,310 ETH (equivalent to approximately $4,590,827).
Following the incident, the user responsible for the double-spending issue shared a message on the blockchain. However, despite their intentions, their actions led to the collapse of the SSS token and the loss of $4.8 million in funds. Prior to the collapse, the SSS token had a market cap of $27.75 million. Since then, the tokens have suffered a loss of over 99% in value.
This incident is not the first of its kind. Just a month earlier, the ERC-X token Miner experienced a similar double-spending glitch that resulted in the infinite minting of tokens. This flaw caused the token to crash by 99% and led to user losses exceeding $10 million. Yu Xian, co-founder of SlowMist, a Singaporean blockchain security firm, expressed disappointment in the low-level loopholes present in the contract that allowed for such exploits.
These incidents highlight the importance of robust security measures in blockchain projects and serve as a reminder of the risks associated with vulnerabilities in smart contracts.