SushiSwap loses $3,3 million in a hacker attack
The platform’s head stated that the vulnerable contract was removed
10.04.2023 - 09:45
415
4 min
0
What’s new? On April 9, a bug in the smart contract of decentralized exchange (DEX) SushiSwap led to the loss of $3,3 million in ETH coins. For example, cybersecurity company PeckShield reported unusual activity related to the approval feature in the Router Processor 2 smart contract of the Sushi protocol, which aggregates trading liquidity from multiple sources and determines the best price to exchange coins.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu. If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q — PeckShield Inc. (@peckshield) April 9, 2023
What else is known about the hack? According to the developer of the DefiLlama aggregator under the nickname 0xngmi, the hack should only affect users who have made an exchange using the protocol within the last four days.
only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet — 0xngmi (llamazip arc) (@0xngmi) April 9, 2023
SushiSwap head Jared Grey confirmed that RouteProcessor2 has an approval bug and urged users to revoke permissions for all protocol contracts. He said that the platform is working with security teams to fix the vulnerability. Thus, a list of contracts requiring revocation of approval has been created on GitHub on several blockchains.
Euler Finance DeFi protocol’s hacker returns all funds to the project
The protocol’s representatives promised to provide full information on the incident on April 5
Hours after the incident, Grey said that a significant portion of the funds had been recovered with the help of whitehats. He added that the SushiSwap team is in talks with representatives of the liquid staking protocol Lido Finance about recovering another 700 ETH (~$1,3 million).
We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's team regarding 700 more ETH. — Jared Grey (@jaredgrey) April 9, 2023
Grey later stated that users could safely trade on SushiSwap because the vulnerable contract had been removed. He also urged platform customers to confirm the removal of the approval for RouteProcessor2 on the site.
Some quick notes on @SushiSwap, post-exploit.1. You can now safely swap/trade on Sushi.2. We've removed the exploited contract.3. Please confirm you've removed approvals for the exploited RouteProcessor2 contract here: https://t.co/8BKQ2FSF0f — Jared Grey (@jaredgrey) April 9, 2023
In March, the US Securities and Exchange Commission (SEC) opened an investigation into SushiSwap. At the time, Grey proposed creating a $3 million fund to cover legal expenses. On April 9, he noted that the regulator had made no findings that anyone associated with SushiSwap had violated securities laws.
Useful material?
Market
Due to supply shortages, the asset’s pre-market exchange rate was climbing above $1000
Dec 16, 2024
Incidents
Reports about the hacking of the exchange with calls to withdraw assets began to spread on December 13
Dec 13, 2024
Crypto regulations
Stablecoins from issuer Circle will not be affected by the changes
Dec 12, 2024
Crypto regulations
The platform will launch after meeting the preconditions of the local exchange authority
Dec 9, 2024
Market
The $1,1 billion figure was reached after the bitcoin correction
Dec 6, 2024
Crypto regulations
By early January, all open positions and loans of local users will be closed and repaid automatically
Dec 5, 2024