Decentralized finance (DeFi) protocol, SushiSwap, also know for having a cross chain swap feature, reportedly lost $3.3 million to hackers on April 19, due to a bug on its smart contract according to Blockchain security company Certik Alert.
Beware of an exploitable @SushiSwap RouteProcess02 contract which has been deployed to multiple chains.
Affected contract addresses:
ETH: 0x044b7
BSC: 0xd75f
POLY: 0x5097
AVAX: 0xbace
FTM: 0x3e60Revoke permissions from the above addresses to avoid risk.
— CertiK Alert (@CertiKAlert) April 9, 2023
It was gathered that only crypto users that traded on the DeFi exchange in the last four days were negatively affected.
Both Certik Alert and Peckshield reported unusual activity about the approval function in Sushi’s Router Processor 2 contract, which is a smart contract that facilitates trade liquidity from multiple sources.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
However, DefiLlama anonymous developer 0xngmi, declared, “The hack only affected users who swapped in the protocol within the past four days.”
only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet
— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023
Meanwhile, Sushi’s head developer, Jared Grey, enjoined users to revoke permissions for all contracts on the protocol as the security teams are speedily working to mitigate the issue.
Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4
— Jared Grey (@jaredgrey) April 9, 2023
Apparently, it was a tough weekend for the Sushi community as users scampered for the safety of their funds. Meanwhile, the Sushi team has not been finding it easy in recent times.
On April 8, Grey and his counsel responded to the subpoena served to SushiSwap by the United States Securities and Exchange Commission (SEC), stating that no one related to Sushi has violated any U.S. federal security laws.
SushiSwap Partly Recovers from Attack
It is interesting to note that SushiSwap teams were able to recover a large portion of the funds following the bug attack.
Sushi’s head developer, Jared Grey, confirmed that most of the affected funds in a whitehat security process have been recovered, urging individuals who have engaged in a whitehat recovery to reach out.
We've secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact [email protected] for next steps.
— Jared Grey (@jaredgrey) April 9, 2023
He further highlighted that 300 ETH were specifically recovered from CoffeeBabe of Sifu’s stolen funds, adding that the team is in contact with Lido’s team as regards the recovery process.
We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's team regarding 700 more ETH.
— Jared Grey (@jaredgrey) April 9, 2023
Recall that DeFi executives recently talked at the World of Web3 (WOW), on the importance of launching “Know Your Customer” (KYC), to abate hacking and money laundering.
At this juncture, talks should be matched with actions. There is a compelling need to address increasing DeFi attacks for the sake of transparency and growth.
