Analysis of xSushi's incident

Reading time saved: 11 minutes

5 replies, 5375 views, 14 likes



A potential attack vector involving xSUSHI on Aave V2 was identified and mitigated on November 2, 2021, thanks to the collaborative efforts of the Aave community and key contributors from other DeFi communities. The incident underscored the need for further research on pricing systems for complex assets and thorough due diligence on new asset listings, while also highlighting the importance of maintaining high standards within DeFi communities.

On October 27, 2021, a potential attack vector involving xSUSHI on Aave V2 was identified, reminiscent of a vulnerability exploited on the Cream protocol. The Aave community, in collaboration with other DeFi communities, promptly evaluated potential attack scenarios and took precautionary measures. A proposal to eliminate the attack surface was created and executed by the Aave community on November 2, 2021, ensuring the safety of the funds throughout the process. Key contributors to this effort included Flashfish0x from the Yearn community and Nipun_pit from Alpha Finance, who were instrumental in alerting about the potential problem and assisting with attack simulations. A bounty was proposed by Eboado for their significant contributions.

The potential attack involved a complex manipulation of the exchange rate of xSUSHI, a governance token representing a stake position on the Sushi platform. The attacker would inflate the price of xSUSHI, allowing them to borrow a large amount of assets using the inflated xSUSHI as collateral, and then abandon the borrowed assets, leaving the protocol under-collateralized. However, the attack was not feasible after the Cream incident, and certain liquidity conditions would have been required for it to be possible. After the execution of the proposal on November 2, the protocol was fully protected, and no attack was performed on the Aave protocol.

The incident highlighted the need for further development and research around new pricing systems for complex assets like xSUSHI, as well as deeper due diligence on all listing steps of new assets. Eboado also emphasized the importance of maintaining high standards of behavior within the DeFi communities, especially during incidents like these. The bounty amount of $50,000 each for Flashfish0x and Nipun_pit was questioned by Kx9x, but Eboado and Emilio clarified that the bounty was a token of appreciation for the security researchers' valuable insights, even though the Aave community and Gauntlet had already identified the issue and started developing a fix.

Posted 2 years ago

Last reply 2 years ago

Summary updated 2 months ago

Last updated 04/12 00:18