​SushiSwap loses $3,3 million in a hacker attack

What’s new? On April 9, a bug in the smart contract of decentralized exchange (DEX) SushiSwap led to the loss of $3,3 million in ETH coins. For example, cybersecurity company PeckShield reported unusual activity related to the approval feature in the Router Processor 2 smart contract of the Sushi protocol, which aggregates trading liquidity from multiple sources and determines the best price to exchange coins.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu. If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q — PeckShield Inc. (@peckshield) April 9, 2023

What else is known about the hack? According to the developer of the DefiLlama aggregator under the nickname 0xngmi, the hack should only affect users who have made an exchange using the protocol within the last four days.

only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet — 0xngmi (llamazip arc) (@0xngmi) April 9, 2023

SushiSwap head Jared Grey confirmed that RouteProcessor2 has an approval bug and urged users to revoke permissions for all protocol contracts. He said that the platform is working with security teams to fix the vulnerability. Thus, a list of contracts requiring revocation of approval has been created on GitHub on several blockchains.

Euler Finance DeFi protocol’s hacker returns all funds to the project

The protocol’s representatives promised to provide full information on the incident on April 5

Read further

Hours after the incident, Grey said that a significant portion of the funds had been recovered with the help of whitehats. He added that the SushiSwap team is in talks with representatives of the liquid staking protocol Lido Finance about recovering another 700 ETH (~$1,3 million).

We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's team regarding 700 more ETH. — Jared Grey (@jaredgrey) April 9, 2023

Grey later stated that users could safely trade on SushiSwap because the vulnerable contract had been removed. He also urged platform customers to confirm the removal of the approval for RouteProcessor2 on the site.

Some quick notes on @SushiSwap, post-exploit.1. You can now safely swap/trade on Sushi.2. We've removed the exploited contract.3. Please confirm you've removed approvals for the exploited RouteProcessor2 contract here: https://t.co/8BKQ2FSF0f — Jared Grey (@jaredgrey) April 9, 2023

In March, the US Securities and Exchange Commission (SEC) opened an investigation into SushiSwap. At the time, Grey proposed creating a $3 million fund to cover legal expenses. On April 9, he noted that the regulator had made no findings that anyone associated with SushiSwap had violated securities laws.