A bug introduced into SushiSwap four days ago was exploited late Saturday to drain about $3.3 million worth of Ethereum from a single user's account.
According to a Twitter post by blockchain security and data analytics company PeckShield, a wallet controlled by the victim—a prominent member of the Crypto Twitter community known as Sifu—was targeted by an "approve-related bug" in SushiSwap's RouterProcessor2 contract to steal about 1,800 ETH.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
Separate analysis by Binance-backed cybersecurity firm Ancilia determined that the flaw was the failure to validate access permissions halfway through a swap transaction. The firm also found the vulnerable contract on the Polygon network.
3/ Root cause is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed. pic.twitter.com/LN0Ppsob9a
SushiSwap "head chef" Jared Gray confirmed the bug and exploit about an hour later, and repeated Peckshield's recommendation that users who have interacted with the SushiSwap blockchain revoke all permissions granted to its contracts. Grey had broken the news of SushiSwap's SEC subpoena two weeks ago.
Early Sunday morning, SushiSwap CTO Matthew Lilley followed up with more details.
We’re currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Lilley wrote. "Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available."
AD
AD
"There is no risk at this time with using Sushi Protocol, and the UI," he continued. "All exposure to RouterProcessor2 has been removed from the front end, and all [liquidity providing and] current swap activity is safe to do."
To help users determine whether he or she had granted RouteProcessor2 access to its funds, Lilley posted a link to a tool to check for exposure across a variety of networks, including Ethereum, Polygon, Avalange, Arbitrum, Gnosis, Optimism, and others.
According to Grey, more than 300 ETH of Sifu's stolen funds have since been recovered, with another 700 ETH in process. The recovery effort has been tracked by crypto visualization service MetaSleuth.
. @SushiSwap RouteProcessor2 was attacked, and sifuvision.eth @0xSifu lost 1800 ETH due to this. We tracked the stolen funds and presented them as follows. The first attacker (0x9deff) has returned 90 ETH (of 100 stolen). BlockSec rescued 100 ETH and will return it shortly. The… https://t.co/sMqzNiDL5ppic.twitter.com/kGrt9cifIS
Despite the hack, the price of SushiSwap's SUSHI token has dipped only slightly in the past 24 hours, down about 3%.
In 2021, SushiSwap narrowly avoided a massive hack when a "white hat" crypto researcher discovered a bidding bug that could have been exploited to the tune of $350 million.
Stay on top of crypto news, get daily updates in your inbox.