Sushiswap Smart Contract Bug Causes Losses of Over $3M

According to several sources SushiSwap, a popular decentralised exchange (DEX), has lost more than $3.3 million. This occurred as a result of a hacker exploiting a vulnerability in a smart contract.  The DEX’s RouteProcess02 contract, a smart contract that combines trade liquidity from many sources and determines the best price for switching currencies, was attacked and then disseminated over different blockchain networks.

Certik, a blockchain security firm, issued an alert on Twitter after discovering the security breach. Peckshield also tweeted to the crypto community that Sushiswap’s “RouterProcessor2 contract has an approve-related bug.” According to reports, the victim was a well-known crypto advocate named Sifu, who supposedly lost 1,800 ether.

According to DefiLlama pseudonymous coder 0xngmi, the attack should only affect users who switched protocols during the last four days.”Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00,” crypto security firm Ancilia said in a tweet. “Later on in the swap3callback function, the permission check gets bypassed.” 

Sushi’s main developer, Jared Grey, asked users to remove authorization for any contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval as soon as possible.” “We’re collaborating with security teams to address the problem,” he stated. To remedy the issue, a list of contracts with distinct blockchains that require revocation has been developed on GitHub.

The new attack comes on the heels of increased regulatory attention for the DEX, with the US Securities and Exchange Commission serving subpoenas on both Sushi DAO and Grey. The subpoena was published on March 21 in the guise of a recommendation to the Sushi DAO for the formation of a legal defence fund to cover anticipated legal fees. 

Grey and his attorneys responded to the new subpoena on April 8. They assured the SEC that they are working on their investigation. Also, Grey responded to the most often asked questions about the subpoena in the form of a frequently asked question (FAQ). The SEC has been racing down hard on the backs of crypto and crypto-friendly firms.

The SEC has its reasons to take stricter measures towards the crypto industry. In 2021, around $3.2 billion in cryptocurrencies were stolen. $2.2 billion (72%) of the total was taken from DeFi apps. The amount taken has continued to rise through 2022. In the first three months of the year, more than $1.3 billion was stolen. Despite strengthened security procedures, hackers have stolen millions of dollars from the DeFi market. Flash loans were the most popular way used to target DeFi apps. According to DefiLlama, more than $20 million has been taken from the DeFi market since the beginning of the year. 

Other firms like Dexible, Euler and Playtpus were also victims of DeFi attacks. On February 17, an attack targeted the multichain exchange aggregator Dexible, resulting in the loss of $2 million in cryptocurrency. This attack was done using the selfSwap function. The selfSwap function enabled users to exchange one token for another by providing the address of a router and the calldata associated with it.

On March 13, 2023, Euler Finance was also the victim of a Flash Loan Attack. Millions of dollars in Dai (DAI), Dollar Coin (USDC), staked Ether (StETH), and wrapped Bitcoin  (WBTC) were successfully stolen by the perpetrator. The attacker stole over $197 million and disrupted over 11 different DeFi protocols. Fortunately, the majority of the funds have been recovered. 

In terms of the Sushi hack, Some members of the crypto community replied by believing that the breach was suspicious.  Security firms discovered strange activity in the DeFi platform’s smart contract that aggregates transaction liquidity on April 9. The hack was carried out soon after. 

The hack, according to community member Adam Cochran, is “weird.” The explanation he cites is that the router contract, which was “used by almost no one,” was immediately exploited when it received its first transactions. Cochran also believes that it seemed like someone was “waiting to strike.”

Through a white hat security method, the SushiSwap team was able to retrieve a major percentage of the stolen funds. More than 300 ETH have been recovered from Coffeebabe of Sifu’s stolen money. Grey stated that he was in constant touch with Lido’s staff about 700 additional ETH. Later in the day, Sushiswap’s CTO, Matthew Lilley, followed up and stated that there are presently no concerns with using the Sushiswap dex platform.

Related Posts