Super Sushi Samurai, a blockchain game native to layer-2 solution Blast, was exploited hours before its much-anticipated gaming product was launched.
The exploit, reportedly orchestrated by a white hat hacker, has resulted in a loss of $4.6 million due to a bug in its smart contract code.
According to an announcement from the Super Sushi Samurai team, the exploit was due to a bug in the smart contract code, allowing an unauthorized party to initiate an infinite mint function. This resulted in the creation of an excessive number of tokens that were subsequently sold into the liquidity pool.
CertiK, an on-chain security firm, confirmed the extent of the exploit, stating that $4.6 million worth of tokens were affected. According to CoinGecko data, the exploit led to a 99% token value slippage following an unauthorized token dump. The attacker managed to get 1310 ETH from the token’s main liquidity pool by exploiting the smart contract vulnerability.
Investigations into the incident revealed that an unauthorized party acquired 690 million SSS tokens and initiated a series of transactions through an attack contract designed for this purpose.
Exploiting a vulnerability within the platform’s update function, the attacker duplicated the tokens in their possession 25 times, inflating the quantity to 11.5 trillion, which was then exchanged for approximately 1,310 ETH.
Following the breach, Super Sushi Samurai has actively engaged with its community, providing updates and assurances through its official Telegram channel and other social media platforms.
In an X post, they revealed that the exploit was conducted by white hat hacker who is currently in communication with their team. The hacker’s message, visible on Blastscan, indicated that it was a rescue mission and plans to reimburse affected users were underway.
They have also disclosed the address containing the compromised funds to facilitate tracking and potential recovery of the lost assets and that they are working with the white hat hacker to ensure the safe return of funds.
Meanwhile, a “post-mortem” update from Super Sushi Samurai outlines the extent of the damage, with negotiations ongoing to reach a resolution that safeguards both users and the white hat hacker involved in the incident.