Super Sushi Samurai (SSS) is a GameFi project built on Coinbase's Base layer-2 blockchain, leveraging the Telegram messaging app for its operations. The project suffered a significant setback with a $4.8 million loss due to a critical exploit. This incident led to a drastic 99.9% drop in its token value, primarily caused by a vulnerability within its smart contract that allowed an attacker to manipulate token balances through a double-spending exploit.
<h3 id="heading-behind-the-breach">Behind the Breach</h3>
The exploit was caused by a vulnerability in the SSS smart contract's <code>_update()</code> function. This flaw allowed the attacker to double the balance of SSS tokens by transferring the entire balance to themselves. By repeating this process, the attacker exponentially increased their token balance and then liquidated it for 1,310 ETH, which amounted to approximately $4.8 million. This was facilitated by the contract not properly updating balances during self-transfers.
<hr />
Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit <a target="_blank" href="https://rivanorth.com/"><a href="https://rivanorth.com/" class="autolinkedURL autolinkedURL-url" target="_blank">rivanorth.com</a></a> to find out more.
You build the future. We help you secure it.

Super Sushi Samurai (SSS) is a GameFi project built on Coinbase's Base layer-2 blockchain, leveraging the Telegram messaging app for its operations. The project suffered a significant setback with a $4.8 million loss due to a critical exploit. This incident led to a drastic 99.9% drop in its token value, primarily caused by a vulnerability within its smart contract that allowed an attacker to manipulate token balances through a double-spending exploit.

### **Behind the Breach**

The exploit was caused by a vulnerability in the SSS smart contract's `_update()` function. This flaw allowed the attacker to double the balance of SSS tokens by transferring the entire balance to themselves. By repeating this process, the attacker exponentially increased their token balance and then liquidated it for 1,310 ETH, which amounted to approximately $4.8 million. This was facilitated by the contract not properly updating balances during self-transfers.

---

Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit [**https://rivanorth.com/**](https://rivanorth.com/) to find out more.

You build the **future**. We help you **secure** it.

Hack Explained - Super Sushi Samurai

As a leading cybersecurity company, we specialise in securing emerging tech with research based state of the art security services.
You build the future. We help you secure it.
