A bug introduced into SushiSwap four days ago was exploited late Saturday to drain about $3.3 million worth of Ethereum from a single user’s account.
According to a Twitter post by blockchain security and data analytics company PeckShield, a wallet controlled by the victim—a prominent member of the Crypto Twitter community known as Sifu—was targeted by an “approve-related bug” in SushiSwap’s RouterProcessor2 contract to steal about 1,800 ETH.
Separate analysis by Binance-backed cybersecurity firm Ancilia determined that the flaw was the failure to validate access permissions halfway through a swap transaction. The firm also found the vulnerable contract on the Polygon network.
3/ Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed. pic.twitter.com/LN0Ppsob9a
— Ancilia, Inc. (@AnciliaInc) April 9, 2023
SushiSwap “head chef” Jared Gray confirmed the bug and exploit about an hour later, and repeated Peckshield’s recommendation that users who have interacted with the SushiSwap blockchain revoke all permissions granted to its contracts. Grey had broken the news of SushiSwap’s SEC subpoena two weeks ago.
Early Sunday morning, SushiSwap CTO Matthew Lilley followed up with more details.
We’re currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Lilley wrote. “Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available.”
“There is no risk at this time with using Sushi Protocol, and the UI,” he continued. “All exposure to RouterProcessor2 has been removed from the front end, and all [liquidity providing and] current swap activity is safe to do.”
To help users determine whether he or she had granted RouteProcessor2 access to its funds, Lilley posted a link to a tool to check for exposure across a variety of networks, including Ethereum, Polygon, Avalange, Arbitrum, Gnosis, Optimism, and others.
According to Grey, more than 300 ETH of Sifu’s stolen funds have since been recovered, with another 700 ETH in process. The recovery effort has been tracked by crypto visualization service MetaSleuth.
Despite the hack, the price of SushiSwap’s SUSHI token has dipped only slightly in the past 24 hours, down about 3%.
In 2021, SushiSwap narrowly avoided a massive hack when a “white hat” crypto researcher discovered a bidding bug that could have been exploited to the tune of $350 million.