Popular decentralized exchange (DEX) platform SushiSwap has suffered more than $3.3 million in losses after a hacker exploited a bug in a smart contract.
More specifically, the DEX saw its RouteProcess02 contract, a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins, exploited and then distributed across various blockchain networks.
“Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00,” crypto security firm Ancilia said in a tweet. “Later on in the swap3callback function the permission check get bypassed.”
DefiLlama pseudonymous developer 0xngmi suggested that only users who had swapped in the protocol during the past four days should be affected by the hack.
“Only users impacted by Sushiswap hack should be those that swapped on Sushiswap in the last 4 days. If you did so, revert approvals ASAP or move your funds in the affected wallet to a new wallet,” 0xngmi tweeted.
At least one user has fallen victim to the hack so far. The victim, who is a well-known crypto advocate called Sifu, reportedly lost 1,800 ETH (worth around $3.3 million).
Meanwhile, Sushi’s lead developer, Jared Grey, has urged users to revoke permissions for all contracts on the protocol, stating, “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP.
He also created a list of contracts on GitHub with different blockchains requiring revocation to address the problem. Notably, the vulnerable contract is also deployed on Polygon, a popular Ethereum layer-2 solution.
SushiSwap Recovers a “Large Portion” of Stolen Funds
The SushiSwap team has managed to recover a significant portion of the stolen funds through a white hat security process with the help from blockchain security company HYDN.
“We’ve secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact [email protected] for next steps,” Grey said at 9:42 a.m. Eastern Time on April 9.
“We’ve confirmed recovery of more than 300 ETH from Coffeebabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”
Sushiswap’s CTO, Matthew Lilley, followed up later in the day and said that there are currently no issues with using the Sushiswap dex platform. “All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do,” he added.
The recent hack comes on the heels of increasing regulatory scrutiny for the DEX as both Sushi DAO and Grey have been served with a subpoena by the US Securities and Exchange Commission.
On March 21, the organization announced the subpoena in the form of a proposal submitted to the Sushi DAO for the establishment of a legal defense fund to cover potential legal costs.
Over the weekend, Grey issued an official statement regarding the subpoena, claiming that “the SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws.”
“To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.”
