Malicious Smart Contract on Arbitrum Causes $2.8M SUN Token Loss
A recent exploit involving a malicious smart contract on the Arbitrum chain led to an estimated loss of $2.8 million in SUN tokens. The incident was marked by suspicious activity where SUN tokens were minted outside their usual issuance schedule, allowing an attacker to manipulate the token supply for substantial financial gain.
Details of the SUN Token Exploit
An attacker deployed a malicious smart contract on Arbitrum, directly impacting Sun (SUN) tokens. Here’s a breakdown of the key events:
- The attack involved minting additional SUN tokens and occurred shortly after an upgrade to the management smart contract.
- The attacker used the Across bridge to fund the initial wallet from Ethereum, enabling the unauthorized transactions.
- In a single transaction, a total of 200 trillion SUN tokens were minted and then rapidly swapped for USDT and WETH, resulting in nearly $2.8M in total losses.
These actions were promptly visible on the SUN token page, with one transaction alone swapping more than 2.1M USDT, while the remaining SUN tokens generated an additional $750,000 loss through WETH swaps.
Impact on SUN Token and Arbitrum Network
Though the Arbitrum network remained unaffected by the attack, the hack had significant repercussions for the SUN token and its investors:
- SUN token value plummeted after the main exchange’s liquidity was drained, with the exploit transaction constituting nearly all of SUN’s trading volume to date.
- Approximately 94% of all SUN tokens were held in a single wallet, indicating the project was still under centralized control. Fortunately, none of the individual wallets holding SUN were directly impacted as the attacker offloaded newly minted tokens.
Despite the network’s immunity to the attack, the recent exploit follows a pattern, occurring just days after another smart contract vulnerability on Arbitrum drained $93,000 in tokens.
Sunray DEX and SUN Token Details
The Sunray DEX, the primary platform associated with SUN, was alerted to suspicious activity originating from its treasury. The team confirmed that SUN and ARC tokens flowed out of their treasury, although the likelihood of retrieval is low given the tokens have already been swapped for USDT. Key details about the project include:
- The DEX, created with SoftBank involvement, launched SUN as a store of value and collateral for decentralized finance, although it remains an inactive platform with limited features.
- The Sunray Finance protocol advertised high passive income potential (up to 299%) for SUN holders, supplemented by ARC governance tokens.
- Despite the platform’s promise, its social media presence suggests an unprepared approach to current DEX and Web3 security challenges.
Concerns Around Sunray Finance’s Security
While Sunray Finance claims its smart contracts were audited, the exploit raises questions about the project’s security measures and overall readiness. Key observations include:
- The Sunray DEX operates without a standalone landing page, relying instead on SoftBank’s backing.
- SoftBank has previously funded various crypto initiatives, some of which were successful while others, like FTX, experienced significant losses.
This exploit, although smaller in scale compared to other DEX hacks, hints at potential vulnerabilities in projects associated with major financial backers, underscoring the importance of rigorous security protocols for blockchain platforms.
Ecosystem
Research
News Network
About