Sushiswap smart contract bug results in over $3M in losses
A bug introduced to the decentralized exchange (dex) protocol Sushiswap’s smart contract has resulted in more than $3 million in losses.
By Anna B Kiwanuka
Over the weekend, the dex platform Sushiswap saw its RouteProcess02 contract exploited and then distributed across various blockchain networks. Blockchain security firm Certik published an alert after discovering the exploit.
The company Peckshield also updated the crypto community via Twitter, noting that Sushiswap’s RouterProcessor2 contract has an approve-related bug. It has also been reported that the victim was a well-known crypto advocate called Sifu, who reportedly lost 1,800 ETH.
Sifu may not have been the only victim, as Certik’s alert mentions that a few USDC users may have been affected.
Certik tweeted, “We have detected suspicious activity on (0x15d), which is a malicious router. Revoke permissions if you have approved this router to spend your tokens. Stay safe.”
“Multiple users who had approved the malicious contract have seen their USDC being transferred to (0x29e). The wallet has taken about $20,000 in the last two hours,” the company added.
A developer known as 0xngmi has detailed that the exploit should only be problematic for those who used Sushiswap during the last four days.
“Only users impacted by Sushiswap hack should be those that swapped on Sushiswap in the last 4 days. If you did so, revert approvals ASAP or move your funds in the affected wallet to a new wallet,” 0xngmi tweeted.
Sushiswap’s Head Chef Jared Grey also confirmed the exploit and later detailed that recovery efforts were underway.
“We’ve secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact email@example.com for next steps,” Grey said.
“We’ve confirmed the recovery of more than 300 ETH from Coffeebabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH,” Grey added.
Sushiswap’s CTO, Matthew Lilley, followed up later in the day and said that there are currently no issues with using the Sushiswap dex platform.
“There is no risk at this time with using Sushi Protocol, and the UI. All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do,” the Sushiswap CTO explained.
“We do ask that all users double-check their approvals, and if an address within this list below has an allowance for any of your tokens to please unapprove as soon as you can,” Lilley added.
Just recently, Grey told the community that the Sushiswap team received a subpoena from the U.S. Securities and Exchange Commission (SEC).