SushiSwap, a popular DEX protocol was at the receiving end of what many called another Rug Pull attack, via Badger DAO token DIGG. The transaction that caught everyone’s eye was attempting to convert 0.05% of the DIGG/WBTC swap fees (for ~24hrs) through a DIGG/ETH pool with little liquidity and suffering high slippage, resulting in outsized fees for the liquidity providers of the DIGG/ETH pool.
The attacker exploited a loophole of a low liquidity pool with non-eth pair where the trading fee which was supposed to go to the stakers on the network went to the attacker instead. The attacker used the loophole to create a new pair with a low liquidity pool resulting in a high transaction fee, and that fee was taken away by the exploiter in absence of a bridge that would send the fee to the stakers.
Fortunately, no underlying LP or xSUSHI positions were affected, only the earnings for the affected asset (0.05% fees for DIGG/WBTC swaps – 81 ETH) from the previous day were lost.
A bridge has been set up for DIGG through the maker contract to resolve this issue for xSUSHI participants. This bridge is also included in SushiMaker.
A Major Mishap or a Minor Loophole?
A defi expert on Twitter revealed that the attack was not a major setback or even a rug pull, rather more of a scavenger hunt
Old loopholes opened up give a hacker a small reward.
24 hours of DIGG/WBTC swap fees snatched by an opportunist.
It ain't much, but is it honest work?
— rekt (@RektHQ) January 26, 2021
After researching further, we found that although there had been an exploit, the damage had already been contained, and what had been perceived as a threat to the entire SushiSwap protocol was simply a smart scavenger picking up food that had been left behind.
What many perceive to be another attack on the whole network turned out to be a minor mistake on the Sushi team who now have contained the problem and filled the loophole by creating the bridge for Dthe IGG token.