A bug in SushiSwap ($SUSHI) introduced four days ago was exploited on Saturday, leading to the theft of approximately $3.3 million worth of Ethereum (1,800 $ETH) from a single user’s account. π
Blockchain security and data analytics firm PeckShield reported that the victim was targeted by an “approve-related bug” in SushiSwap’s RouterProcessor2 contract.
Ancilla, a cybersecurity firm backed by Binance, identified the flaw as failing to validate access permissions during a swap transaction and found the vulnerable contract on the $MATIC network. SushiSwap “head chef” Jared Gray confirmed the bug and exploit, recommending that users revoke all permissions granted to its contracts.
Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4
— Jared Grey (@jaredgrey) April 9, 2023
SushiSwap CTO Matthew Lilley provided more information on Sunday, stating that the team was working on identifying affected addresses and initiating rescues. π£
Weβre currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available.
— I'm Software π¦π (@MatthewLilley) April 9, 2023
He assured users that there was no risk in using Sushi Protocol and that current swap activity was safe. Lilley also shared a tool to help users check for exposure across various networks, including Ethereum, Polygon, $AVAX, $ARB, $GNO, $OP, and more.
And late this morning, Head Chef Jared Gray reiterated that RouteProcessor2 exploit did not affect any LPs (Liquidity Pools).Β
FYI, in addition to the points quoted below, no pools were affected in the RouteProcessor2 exploit. So if you're an LP, you're safe. https://t.co/kYVaYbJXTY
— Jared Grey (@jaredgrey) April 10, 2023
The attack on SushiSwap comes almost a week after the $25.2 million hack on April 3 against Uniswap ($UNI). π¦
8 addresses stole $25.2M assets from 8 #Uniswap pools by #Sandwich attacking.
Including:
– 7,461 $WETH ($13.4M)
– 5.3M $USDC
– 3M $USDT
– 65 $WBTC ($1.8M)
– 1.7M $DAIAnd these 8 addresses are funded by @kucoincom. pic.twitter.com/T769G8TgbI
— Lookonchain (@lookonchain) April 3, 2023
It is unknown if these two attacks are linked or if there is a broader attack against DEXs.
Regardless, we’ll keep you updated! π₯’