Malicious smart contract causes $2.8M in SUN token losses on Arbitrum

A malicious smart contract on the Arbitrum chain caused an estimated loss of $2.7M. Initial analysis showed SUN tokens were minted outside their usual schedule. 

An attacker deployed a malicious smart contract to the Arbitrum chain, affecting Sun (SUN) tokens. The attack created more SUN out of thin air, leading to potential losses of $2.8M. The attack happened after the mgmt smart contract was upgraded in a single transaction, and then the funds were swapped in the next blocks. The attacker used the Across bridge to fund the initial wallet from Ethereum. 

The tokens were immediately swapped, allowing the attacker to lock in the gains immediately. The minting attacker minted a total of 200T SUN each, then swapped them for USDT almost immediately. The transactions were visible through the SUN token page and happened hours before being noticed. 

One of the swap transactions was for more than 2.1M USDT, while the rest of the SUN tokens were swapped for WETH, causing another $750K loss. 

The Arbitrum network itself is not affected. The recent exploit comes just days after another vulnerable smart contract was drained of $93K of tokens via a faulty function. 

ALERT! Our system has detected attack transactions targeting @RamsesExchange's contract on #Arbitrum, resulting in a loss of ~$93K. We have contacted the team, and they have informed us that actions have already been taken.

The root cause appears to be an unverified input in… pic.twitter.com/I4KsHblIrC

— BlockSec Phalcon (@Phalcon_xyz) October 24, 2024

Arbitrum users were also affected by the recent Radiant Capital hack, which led to $50M in losses. Users of Radiant Capital are still affected if they have active wallet approvals for the protocol. 

SUN crashes due to its main exchange getting drained

The SUN token is relatively inactive and the smart contract points to no known DEX. SUN appeared first around September 17, with a limited supply of liquidity. The token grew gradually after its launch, from $7 to $10 in the weeks before the attack. The main goal of the token was to serve as a store of value and collateral for decentralized finance. 

The token hack led to the loss of all notional value. In fact, the exploit transaction made up almost all of the volume for SUN so far, reaching $2.2M in total. 

More than 94% of all SUN was held in a single wallet, suggesting the project was still not operating in full. The wallet is tagged as the SunRay LP or liquidity provider on the Sunray DEX

More than 19.9K addresses held SUN tokens before the exploit, though most were still controlled by a single entity. None of the addresses were directly affected, as the exploiter sold a newly minted supply. 

An X account linked to the Sunray DEX revealed the suspicious activity originating from its treasury. The Sunray DEX stated SUN and ARCTokens flowed out of its treasury and the team is attempting a retrieval. However, this may be impossible as the tokens were already swapped for USDT, which could be moved or traded again. 

🌇Hello, sunray global users,

🌈Regarding the transfer of SUN and ARCToken treasury assets at noon today, we are currently working hard to restore it. Don’t worry, all user assets are available on the chain. I believe that SUNRAY will become more and more popular in the future pic.twitter.com/wmQo9W1q0L

— SUNRAY·FINANCE (@SUNRAY_DEX) October 30, 2024

Sunray DEX is a new attempt at building a blockchain-based market on Arbitrum. The DEX was created with the involvement of SoftBank, though the project is not listed on its portfolio page. The Sunray DEX X account also communicated in a way that singled it out as a crypto outsider, taking a long time to launch in a dynamic environment where new tokens and DEX build up their activity much faster. 

The Sunray DEX has a landing page, but most of its features are still inactive. The Sunray Finance protocol promised an extremely high passive income of 299% for SUN, with the addition of the ARC governance token. 

Neither Sunray Finance nor Sunray Swap have reported a hack through their channels. The investigation is ongoing, as the native SUN token is now practically worthless. Sunray Finance claimed its smart contracts were audited, but the project’s social media suggest it was not prepared enough for the latest DEX and Web3 challenges and attacks. 

The recent exploit was relatively small compared to other DEX hacks. However, it may point to another loss on the side of SoftBank, if it is indeed the main backer of Sunray Finance. The DEX itself has no landing page of its own and only points to SoftBank. The Japanese investment fund has backed multiple crypto projects, some of which were successful, but others, like FTX, suffered deep losses.