Super Sushi Samurai (SSS) is a GameFi project built on Coinbase's Base layer-2 blockchain, leveraging the Telegram messaging app for its operations. The project suffered a significant setback with a $4.8 million loss due to a critical exploit. This incident led to a drastic 99.9% drop in its token value, primarily caused by a vulnerability within its smart contract that allowed an attacker to manipulate token balances through a double-spending exploit.
Behind the Breach
The exploit was caused by a vulnerability in the SSS smart contract's _update() function. This flaw allowed the attacker to double the balance of SSS tokens by transferring the entire balance to themselves. By repeating this process, the attacker exponentially increased their token balance and then liquidated it for 1,310 ETH, which amounted to approximately $4.8 million. This was facilitated by the contract not properly updating balances during self-transfers.
