A bug introduced into SushiSwap four days ago was exploited late Saturday to drain about $3.3 million worth of Ethereum from a single user's account.
According to a Twitter post by blockchain security and data analytics company PeckShield, a wallet controlled by the victim—a prominent member of the Crypto Twitter community known as Sifu—was targeted by an "approve-related bug" in SushiSwap's RouterProcessor2 contract to steal about 1,800 ETH.
Separate analysis by Binance-backed cybersecurity firm Ancilia determined that the flaw was the failure to validate access permissions halfway through a swap transaction. The firm also found the vulnerable contract on the Polygon network.
SushiSwap "head chef" Jared Gray confirmed the bug and exploit about an hour later, and repeated Peckshield's recommendation that users who have interacted with the SushiSwap blockchain revoke all permissions granted to its contracts. Grey had broken the news of SushiSwap's SEC subpoena two weeks ago.
Early Sunday morning, SushiSwap CTO Matthew Lilley followed up with more details.
Sushi, maker of the Ethereum-based decentralized exchange SushiSwap, disclosed on Tuesday it had received a subpoena from the Securities and Exchange Commission, signaling it could soon be subject to regulatory enforcement action.
The organization’s disclosure came in the form of a proposal submitted to the Sushi DAO for the establishment of a legal defense fund to cover potential legal costs.
“Sushi, and Head Chef Jared Grey, were recently served with an SEC Subpoena,” the proposal stated. “We’...
We’re currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Lilley wrote. "Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available."
"There is no risk at this time with using Sushi Protocol, and the UI," he continued. "All exposure to RouterProcessor2 has been removed from the front end, and all [liquidity providing and] current swap activity is safe to do."
To help users determine whether he or she had granted RouteProcessor2 access to its funds, Lilley posted a link to a tool to check for exposure across a variety of networks, including Ethereum, Polygon, Avalange, Arbitrum, Gnosis, Optimism, and others.
Ethereum-based decentralized finance (DeFi) protocol SushiSwap has made the decision to shut down Kashi, its lending protocol, and Miso, its token launchpad.
Founded in 2020, SushiSwap allows customers to swap, lend, and borrow cryptocurrencies using their own external wallets, such as MetaMask, in contrast to centralized exchanges such as Coinbase.
Explaining the move, the group’s chief technology officer (CTO) Matthew Lilley said in a tweet that Kashi “had a number of design flaws, ran at a lo...
According to Grey, more than 300 ETH of Sifu's stolen funds have since been recovered, with another 700 ETH in process. The recovery effort has been tracked by crypto visualization service MetaSleuth.
Despite the hack, the price of SushiSwap's SUSHI token has dipped only slightly in the past 24 hours, down about 3%.
In 2021, SushiSwap narrowly avoided a massive hack when a "white hat" crypto researcher discovered a bidding bug that could have been exploited to the tune of $350 million.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
