SushiSwap smart contract bug leads to $3.3 million exploit

SushiSwap smart contract bug leads to $3.3 million exploit

10.04.2023 08:34 (Updated 10.04.2023 08:04)
avatar
by Sviatoslav Pinchuk
2 min read

According to several security reports, SushiSwap lost about $3.3 million due to a bug that occurred on April 9. Only those who used the protocol in the last four days are affected.

Blockchain security analysts PeckShield and CertiK Alert have reported unusual activity related to approval failure of a smart contract on the decentralized finance protocol SushiSwap, which aggregates trade liquidity from multiple sources and determines the most favorable price for exchanging coins. The reported bug led to the exploitation of $3.3 million worth of Ethereum from a single user’s account, SushiSwap community member Sifu:

A separate analysis of the cause of the exploit by cybersecurity firm Ancilia found that the bug was due to the fact that access permissions were not validated during the middle of a swap transaction. Additionally, the firm identified the specific contract on the Polygon network that was exposed to the vulnerability:


DefiLlama developer 0xngmi has stated that the hack probably only affects those users who have performed swaps via the protocol within the last four days:

Sushiโ€™s head developer, Jared Grey, confirmed the bug and asked users to revoke permissions for all contracts on the protocol. He also stated that the team will provide a “thorough post-mortem of the development process leading up to the exploit and the events that unfolded post-exploit,” and that a great deal of the funds was already recovered.

SushiSwap CTO Matthew Lilley later added:

Weโ€™re currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available.

Lilley provided a tool to assist users in verifying whether they had given RouterProcessor2 access to their funds. The tool can check for potential exposure on numerous networks, such as Ethereum, Polygon, Avalanche, Arbitrum, Gnosis, Optimism, and others.

Author

  • Man who simply bought some BTC for domestic needs in 2014 and then forgot about it till 2017. The dude who got Ethereum in 2017 by misclick and sold it in 2018 "just to try". Lost 1 Florida house in XEM in 2018, Sviatoslav finally decided to trade reasonably and now he is one of the most analytical and data-driven trader in Crypto Industry. Has Bachelor Degree of Chinese Interpreter and deep practical experience in competitive niches SEO.

Subscribe to
Crypto Ping Pong Digest

Trash style news. You will definitely like

Trending news

Arrow previous
Arrow next
Yellow background Yellow background
Subscribe and be in touch
Click here