JayPegs Automart (via SushiSwap MISO platform): Supply Chain Attack (Malicious Contractor Code Injection)
A trusted contractor on the JayPegs Automart/MISO auction injected their own wallet address as the auction beneficiary, redirecting $3.1M in ETH — funds were only returned after SushiSwap's CTO publicly doxxed the suspected developer and threatened FBI involvement.
Summary #
JayPegs Automart (via SushiSwap MISO platform) suffered a Token Launchpad / Auction on 2021-09-17, resulting in a loss of approximately $3M.
What happened #
A trusted contractor on the JayPegs Automart/MISO auction injected their own wallet address as the auction beneficiary, redirecting $3.1M in ETH — funds were only returned after SushiSwap's CTO publicly doxxed the suspected developer and threatened FBI involvement.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — contract behaved as written; the malicious wallet address was injected, not a code bug]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — fresh auction contract deployment with injected malicious wallet address]