The renowned decentralized exchange (DEX), SushiSwap, has faced a setback with losses amounting to over $3.3 million. This resulted from a hacker leveraging a flaw in one of its smart contracts.
The affected contract, named RouteProcess02, aggregates liquidity for trades from different sources and pinpoints the best price for coin exchanges. This contract was taken advantage of, with the exploited assets then spread across various blockchain networks.
Ancilia, a crypto security company, clarified the issue on Twitter, stating: “The root of the problem lies in the internal swap() function. It initiates the swapUniV3() which sets the ‘lastCalledPool’ variable at storage slot 0x00. Subsequently, in the swap3callback function, the permission checks are overlooked.”
A developer known by the pseudonym 0xngmi from DefiLlama has pointed out that the hack likely affects only those users who transacted on the protocol in the recent four days.
0xngmi stated on Twitter, “Those potentially impacted by the Sushiswap breach should be individuals who conducted swaps on Sushiswap within the past 4 days. If you’re among them, it’s advisable to either revoke approvals promptly or transfer funds from the compromised wallet to a new one.”
There has already been a reported casualty of the hack. A prominent figure in the crypto community named Sifu allegedly lost a substantial 1,800 ETH, which is equivalent to approximately $3.3 million, due to this security breach.
Sushi’s primary developer, Jared Grey, has sent out a clarion call for users to withdraw permissions from all contracts affiliated with the protocol, cautioning, “Sushi’s RouteProcessor2 contract contains an approval glitch; it’s imperative to withdraw approval immediately.”
To facilitate this, Grey has compiled and shared a list on GitHub that specifies contracts across various blockchains that need permissions to be revoked. It’s worth highlighting that the affected contract also exists on Polygon, a widely-adopted layer-2 solution for Ethereum.
SushiSwap Recovers a “Large Portion” of Stolen Funds
The SushiSwap team, with assistance from the blockchain security firm HYDN, has successfully reclaimed a considerable chunk of the pilfered funds through white hat security measures.
“A majority of the compromised funds have been safely retrieved via a white hat security procedure. If you’ve been involved in such a white hat recovery, kindly reach out to [email protected] for subsequent actions,” Grey announced at 9:42 a.m. Eastern Time on April 9.
“We’ve successfully recouped over 300 ETH from Coffeebabe, part of the assets stolen from Sifu. We are currently liaising with Lido’s team concerning an additional 700 ETH.”
Later in the day, Sushiswap’s CTO, Matthew Lilley, assured users that the platform is now secure and fully operational. “Any risk associated with RouterProcessor2 has been eradicated from the user interface. Engaging in liquidity provision or any ongoing swap activities is now secure,” he clarified.
This hacking incident occurs amidst a backdrop of heightened regulatory oversight targeting the DEX. Both the Sushi DAO and Grey have received subpoenas from the US Securities and Exchange Commission.
On March 21, the receipt of this legal notice was publicized when the organization put forth a proposal to the Sushi DAO, suggesting the creation of a legal defense fund to address potential forthcoming legal expenses.
During the weekend, Grey released an official response concerning the subpoena, stating, “The SEC’s probe is a confidential, fact-finding endeavor aimed at discerning any potential breaches of federal securities regulations.”
He further clarified, “As of the time of this statement, to the best of our understanding, the SEC hasn’t determined or concluded that anyone associated with Sushi has transgressed the federal securities laws of the United States.”