**Postmortem, September 18th, 2021**
Yesterday MISO suffered a supply chain attack. All funds have been recovered, the interface code updated, and we have taken concrete steps to fully secure access controls. A full postmortem can be found below:
Sushi has a culture of building community-driven teams. We have a large, dedicated community contractors team. While we are humbled by our community of contractors, on Friday, September 17, Miso suffered a supply chain exploit, whereupon the fund wallet address was fixed to 0x3dDD8b6D092df917473680d6C41F80F708C45395 for ETH and WETH auctions. Upon finalization of the JayPegs auction, 865 ETH was transferred to the exploit address as the parameters were unrealized.
The studio repo had a procedure to open PRs on the dev branch and go through review to merge into the master branch. However, this process was not enforced by git branch protection settings.
In response, subsequent git branch protections were applied. Additional review to integrate with LavaMoat and automated diff checker implementations have been scheduled. Master or main branch protections also apply to administrators as well. This allows the pull request approval and signature policy to be put into effect.
Sushi reached out to the commit author, MISO users, and institutions associated with or that have interacted with the address to seek rectification. The full funds were returned to the operational multisig after a period of discussion in quantities of 100 ETH, 700 ETH, and 65 ETH. These funds are awaiting to be forwarded to the JayPegs team.