Token Troubles: Super Sushi Samurai’s 99% Plummet

Super Sushi Samurai (SSS), a GameFi project built on Coinbase’s Base layer-2 blockchain and Telegram messaging app, experienced a significant security breach on March 21. A self-proclaimed white hat hacker exploited a double-spending glitch and withdrew $4.8 million from the project’s liquidity pools. CertiK, a blockchain analytics firm, revealed that the vulnerability lies within SSS contracts’ update() function, which fails to properly update balances during self-transfers. Consequently, when a user transfers their entire SSS token balance to themselves, the balance ends up being doubled.

During the incident, one user operating under the address 0x786C8f95C17BB990a040dc4D6539B01FC1b72842 bought 690 million SSS tokens and transferred the entire balance to themselves. They proceeded to double the balance 25 times, resulting in 11.5 trillion SSS tokens, which were subsequently sold for 1,310 ETH (approximately $4,590,827). Following the withdrawal, the user sent a message on the blockchain claiming to be executing a white hat rescue hack and expressed the intention of reimbursing affected users. They encouraged communication through the SSS deployer’s Blockscan chat.

Despite the user’s intentions, the withdrawal of $4.8 million ultimately led to the collapse of the SSS token. Prior to the incident, the SSS token boasted a total market cap of $27.75 million. As a result, the tokens lost over 99% of their value. SSS developers acknowledged the white hat hacker’s message and thanked them for their cooperation. This situation mirrored a previous incident involving the ERC-X token Miner, which plummeted by 99% due to a double-spending glitch that allowed for the infinite minting of tokens. Yu Xian, co-founder of SlowMist, a blockchain security firm based in Singapore, lamented the low-level vulnerabilities in the contract that enabled users to double their balances through self-transfers. The glitch caused users to suffer losses exceeding $10 million.