SushiSwap Bug Leads To $3 Million Loss

Join Our Telegram channel to stay up to date on breaking news coverage

SushiSwap, a decentralized finance (DeFi) protocol, had a bug in its smart contract that caused losses worth at least $3 million during the early hours of April 9. Blockchain security companies CertiK Alert and Peckshield first reported the news.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

In their reports, the security firms revealed an unusual activity concerning Sushi’s Router Processor 2 contract. Notably, the smart contract is responsible for aggregating trade liquidity from different sources. Furthermore, it determines the most favorable price for coin swapping.

Based on the reports, the bug led to losses of up to $3.3 million in just a few hours. Nevertheless, DefiLlama pseudonymous developer 0xngmi, the hack ought to affect the users that swapped in the protocol over the past four days.

only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet

— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023

SushiSwap Notice To Users

Following the attack, the head developer (“head chef”) at SushiSwap, Jared Grey, called upon users to revoke permissions for all contracts on the protocol. He said:

Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue.

Nevertheless, measures to address the problem have already been rolled out. This includes developing a list of contracts on GitHub with different blockchains requiring revocation.

We've secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact security@sushi.com for next steps.

— Jared Grey (@jaredgrey) April 9, 2023

Grey also noted that more than 300ETH had already been recovered from CoffeeBabe of Sifu’s stolen funds through a white hat security process. Furthermore, they had already reached out to the Lido team concerning 700 more ETH.

It is worth mentioning that the Sushi head developer used Dune as the tool for tracking the exploit.

A nice tool for tracking the exploit:https://t.co/6OLKeZOGqA

— Jared Grey (@jaredgrey) April 9, 2023

An Intense Weekend For The Sushi Community

The weekend was eventful for the Sushi community, with Grey and his team providing comments on April 8. These were about the recent United States Securities and Exchange Commission (SEC) subpoena. The head developer at Sushi said:

The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.

According to Grey, he and the entire Sushi counsel are cooperating with the investigation. Part of the cooperating entailed proposing that the ecosystem set aside a legal defense fund to respond to the subpoena. This proposal was made on Sushi’s governance forum as early as March 21.