$3.3 Million Lost in SushiSwap Hack Due to Approval Bug – Users Urged to Revoke Permissions ASAP

In the Brief:

  • SushiSwap lost over $3 million due to a bug in the Router Processor 2 contract, impacting users in the past four days.
  • Jared Grey advises revoking permissions for all contracts on the protocol, with a list of contracts on GitHub requiring revocation.
  • Grey states a "large portion of affected funds" was recovered in a whitehat security process.
  • SushiSwap has previous incident experience and is cooperating with the SEC's investigation.
  • The importance of enhanced security in decentralized finance is significant.

3 - 6 minute read

Blockchain security companies Certik Alert and Peckshield recently reported an unusual activity related to the approval function in SushiSwap’s Router Processor 2 contract that resulted in a loss of over $3 million. SushiSwap is a decentralized finance (DeFi) protocol where users can trade various cryptocurrencies. The Router Processor 2 contract is a smart contract that identifies the most favorable price for swapping coins.

The loss was due to a bug on the Router Processor 2 contract, which led to the loss of over 1800 ethereum from 0xSifu. According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

SushiSwap’s head developer Jared Grey urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he noted. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

However, hours after the incident, Grey took to Twitter to announce that a “large portion of affected funds” were recovered in a whitehat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

This is not the first time SushiSwap has experienced a hack. In September 2020, an anonymous developer, Chef Nomi, sold millions of dollars worth of SUSHI tokens before exiting the project. Now, Jared Grey and the SushiSwap community have to deal with another incident, which only adds to the protocol’s rocky history.

The SushiSwap community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission (SEC). “The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated. Grey claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

This incident highlights the need for better security in decentralized finance. Crypto audits and bug bounties are often regarded as broken, and it’s essential to fix them to prevent similar incidents from happening again in the future. Traders should be vigilant and keep track of SushiSwap’s developments to understand the risks involved in trading on the platform.

Disclaimer: The content in this article is provided for informational purposes only and should not be considered as financial or trading advice. We are not financial advisors, and trading carries high risk. Always consult a professional financial advisor before making any investment decisions.

Leave a Reply

Your email address will not be published. Required fields are marked *