SushiSwap suffers $3.3m exploit as it addresses US subpoena

Decentralised finance (DeFi) protocol SushiSwap has suffered a smart contract bug that allowed for more than $3 million of funds to be siphoned in an exploit.

The hack should only impact users who swapped crypto on the protocol within the past four days, according to DefiLlama developer 0xngmi.

Blockchain security teams from Peckshield and CertiK Alert first posted about the bug on 9 April, stating that it had affected the approval function of SushiSwap’s Router Processor 2 contract.

This smart contract collates trade liquidity from a number of sources to determine the best price for swapping crypto.

Peckshield said the approval bug caused losses of at least $3.3 million in funds.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

Jared Grey, lead developer at SushiSwap, advised users to refuse permissions for all contracts on the protocol.

A list of contracts with different blockchains that need to be refused was created on GitHub in response.

Grey said: “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue.”

Following first reports of the incident, Grey confirmed via Twitter that a “large portion” of affected funds had been recovered using white hat security methods.

“We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH,” he tweeted.

We've secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact security@sushi.com for next steps.

— Jared Grey (@jaredgrey) April 9, 2023

SushiSwap made news over the weekend when Grey and his team commented on the protocol’s March-issued subpoena from the US Securities and Exchange Commission.

He said: “The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws.”

“To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.”

Grey and the SushiSwap team say they are cooperating with the court order.

Want to learn more about blockchain from industry leaders? Check out Blockchain Expo taking place in Amsterdam, California and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: defi, exploit, sushiswap