SushiSwap, a decentralized finance (DeFi) protocol, has suffered a $3.3 million loss due to a bug introduced into its system. Reports suggest that a prominent member of the Crypto Twitter community known as Sifu had their wallet targeted by an “approve-related bug” in SushiSwap’s RouterProcessor2 contract to steal about 1,800 ETH. According to a separate analysis by Binance-backed cybersecurity firm Ancilia, the flaw was the failure to validate access permissions halfway through a swap transaction. The company has confirmed the bug and stated that all hands are on deck to identify all the addresses affected by the exploit. The good news is that a large portion of the affected funds has already been recovered.
3/ Root cause is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed. pic.twitter.com/LN0Ppsob9a— Ancilia, Inc. (@AnciliaInc) April 9, 2023
SushiSwap “head chef” Jared Gray advised users who have interacted with the SushiSwap blockchain to revoke all permissions granted to its contracts. In response to the hack, he posted a link to a tool to check for exposure across a variety of networks, including Ethereum, Polygon, Avalange, Arbitrum, Gnosis, Optimism, and others. Gray also reiterated that there was no risk in using Sushi Protocol or the user interface, as all exposure to RouterProcessor2 had been removed from the front end, and all liquidity providing and current swap activity was safe to do.
Comparing this hack to other crypto thefts, SushiSwap appears to have suffered less severe damage than some other DeFi protocols. For instance, in September 2021, SushiSwap’s MISO token platform was hit by a supply chain attack, leading to the loss of $3 million in ETH. The Ethereum address provided by SushiSwap’s CTO showed that the perpetrator managed to steal 865.1 ETH tokens, which were worth more than $3 million at that time. Similarly, in 2020, the Harvest Finance DeFi protocol was hacked, leading to a loss of $24 million in funds.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.— PeckShield Inc. (@peckshield) April 9, 2023
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
In light of the recent attack, SushiSwap’s head chef, Jared Gray, has urged users to revoke permissions for all contracts on the protocol. The company’s quick response in identifying the exploit and recovering some of the funds has minimized the impact of the hack. As a result, the price of SushiSwap’s SUSHI token has dipped only slightly in the past 24 hours, down about 3%.
. @SushiSwap RouteProcessor2 was attacked, and sifuvision.eth @0xSifu lost 1800 ETH due to this. We tracked the stolen funds and presented them as follows.— MetaSleuth (@MetaSleuth) April 9, 2023
The first attacker (0x9deff) has returned 90 ETH (of 100 stolen). BlockSec rescued 100 ETH and will return it shortly. The… https://t.co/sMqzNiDL5p pic.twitter.com/kGrt9cifIS
However, these recent attacks do highlight the vulnerabilities that exist in the crypto space. The decentralized nature of DeFi protocols makes them attractive targets for hackers, as there are no central authorities to protect user funds. Therefore, it is crucial for users to understand the risks associated with interacting with DeFi protocols and to take necessary precautions. It is also essential for companies to continue developing and implementing robust security measures to prevent future hacks.
In conclusion, the recent SushiSwap hack underscores the need for continued vigilance in the crypto space. Although SushiSwap suffered a loss of $3.3 million, the company’s quick response has helped to minimize the damage caused. However, this hack, like others before it, highlights the need for greater security measures to protect user funds. As DeFi protocols continue to grow in popularity, it is crucial to stay informed and take necessary precautions to ensure that personal data and funds are kept safe.