A supply-chain attack led an attacker to swindle $3 million worth of cryptocurrency from SushiSwap's MISO cryptocurrency platform by infecting Sushi’s private GitHub repository.

The storyline

According to researchers, the attacker was an anonymous contractor working on Sushi’s code repository.
  • The attacker made one malicious code commit to Sushi’s private GitHub repository (miso-studio), thus, leading to the theft of 864.8 Ethereum tokens (worth $3 million).
  • The stolen amount was being transferred by an automobile company on MISO’s auction portal.
  • In a surprising twist, just a few hours after the hack, the attacker’s $3 million wallet balance started to drop. The amount was deposited back into the cryptocurrency reserve of SushiSwap in chunks of 65 ETH, 100 ETH, and 700 ETH.
  • It was revealed that entire funds were sent back to the firm by the attacker in a single day. But this may not be the case every time, experts noted.

After the incident, the victim firm has strengthened its security walls against supply chain threats.

Recent supply chain attacks

  • According to Sonatype’s report, software supply chain attacks on crypto exchanges are growing. The significant increase in supply-chain attacks is due to the exploitation of vulnerabilities in these platforms.
  • Recently, pNetwork (a cross-chain decentralized finance protocol) suffered an attack that resulted in the loss of 277 pBTC. The stolen cryptocurrency is worth over $12 million at present prices.
  • Last month, around $611 million worth of cryptocurrency was stolen from a decentralized cross-chain protocol and network. The targeted firm was identified as Poly Network.


Supply chain attacks on cryptocurrency exchanges are becoming more frequent. The SushiSwap incident highlights the fact that a small flaw in the pull request or the code review process may lead to severe consequences. Organizations must take utmost precaution to avoid DevSevOps incidents.

Cyware Publisher