Super Sushi Samurai (SSS), a GameFi project built on Coinbase’s Base layer-2 blockchain and the Telegram messaging app, experienced a significant withdrawal of $4.8 million on March 21. The withdrawal was made by a self-proclaimed white hat hacker who discovered a double-spending glitch in the project’s liquidity pools.
According to blockchain analytics firm CertiK, the vulnerability lies within the _update() function of the SSS contracts, which fails to correctly update balances when transferring to oneself. This means that when a user transfers their entire balance of SSS tokens to themselves, the resulting balance is doubled.
During the incident, one user, identified as the address 0x786C8f95C17BB990a040dc4D6539B01FC1b72842, initially purchased 690 million SSS tokens. They then transferred the entire balance to themselves and doubled it 25 times, resulting in a total of 11.5 trillion SSS tokens. These tokens were subsequently sold for 1,310 ETH, equivalent to approximately $4,590,827.
In a blockchain message, the user who double-spent the tokens expressed their intentions, despite their claim of being a white hat hacker. It is important to note that their actions ultimately led to the collapse of the SSS token, causing a loss of $4.8 million. Prior to the collapse, SSS had a market cap of $27.75 million. Since then, the tokens have lost over 99% of their value.
This incident is reminiscent of the recent crash of the ERC-X token Miner, which also suffered a 99% loss in value due to a double-spending glitch. Singaporean blockchain security firm SlowMist commented on the incident, stating that the contract’s low-level loopholes allowed users to double their balances by transferring money to themselves. This glitch resulted in user losses of over $10 million.
These incidents highlight the importance of robust security measures in blockchain projects to prevent vulnerabilities and protect user funds.