A bug introduced into a smart contract on decentralized finance (DeFi) protocol SushiSwap was exploited on Sunday, leading to Ethereum (ETH) worth $3.3 million being stolen from a user’s wallet.
SushiSwap Smart Contract Bug Leads to 1,800 ETH Stolen From User’s Wallet
Blockchain security and data analytics firms PeckShield and Certik went on Twitter to alert users about an unusual activity that was taking place on the Ethereum-based decentralized crypto exchange on April 9.
The approval function on Sushi’s Router Processor 2 contract, a smart contract that aggregates trade liquidity from multiple platforms and provides users with the most favourable price to swap tokens, was exploited in an attack that caused over $3 million in losses to one user of the exchange.
The hacker specifically targeted the wallet of “Sifu”, a prominent member of the Twitter crypto community, which contained 1,800 ETH worth upwards of $3.3 million.
In a separate analysis, cybersecurity firm Ancilia stated that the hack was caused by Sushi’s failure to validate access permissions during a swap transaction. The company backed by Binance Labs warned that any user who had given permission to the smart contract was a potential victim, and asked them to revoke their permission as soon as possible. Ancilia also found the vulnerable contract to be deployed on the Polygon blockchain.
CertiK warned followers on Twitter that the Route Process 2 contract was deployed to other blockchains, including Ethereum, Binance Smart Chain, Avalanche, Fantom, Polygon, Optimism, Gnosis, Moonbeam, Boba, zkEVM, Moonriver, and Fuse.
The on-chain security firm provided contract addresses for each network that was affected by the bug and asked users to revoke permissions to avoid the risk of their wallets being comprised and funds being stolen.
0xngmi, a pseudonymous developer at DeFi aggregator DeFiLlama, noted that users affected by the SushiSwap hack would be those that swapped tokens on the exchange in the last four days. He later clarified that the smart contract had been deployed on some chains about two weeks ago but was unclear as to when exactly they were added. 0xngmi also listed the contracts that need to be revoked and asked users to move their funds to a new wallet.
An hour after the attack took place, Sushi head chef Jared Gray confirmed the exploit and assured customers that the exchange was working with security teams to “mitigate the issue”. He repeated the lines of blockchain security firms by asking users to revoke all permissions given to the smart contract.
Gray also provided a link to a website created by DeFiLlama to check whether users’ addresses were impacted by the hack and which crypto tokens need to be revoked.
On April 9, SushiSwap chief technology officer Matthew Lilley followed up on his boss with more details on the attack. Lilley wrote on Twitter that the team was currently working with blockchain security firms to identify all addresses that were affected by the Router Processor 2 contract exploit. He said that Sushi is continuing to monitor the funds and rescue them as they become available.
Lilley assured users that there was no risk in using the Sushi protocol and its interface at the moment, and the vulnerable contract had been removed from the platform’s front end. He also added that all activities including providing liquidity to token pools and swapping were safe to do.
Lilley asked affected users to check for the output address to which their funds were transferred. Sushi had implemented a white hat rescue address to safeguard the funds of victims.
Hours after the exploit, security firm BlocSec tweeted that it had managed to rescue a portion of the stolen funds. Sushi head chef Grey also confirmed the reports by revealing that more than 300 ETH worth $557,218 was recovered, and was negotiating the return of another 700 ETH that was staked on Lido.
Crypto visualization service MetaSlueth, which had been tracking the activity, reported that the first attacker returned 90% of the 100 ETH that was stolen, while BlocSec rescued another 100 ETH ($185,739) which will eventually be returned to Sushi.
MetaSlueth added that the majority of the stolen funds had been transferred to Ethereum staking protocols, such as Beaver Build, Lido, and Rsync Builder.
SushiSwap Facing Enforcement Action by SEC
Sushi users had been facing a torrid week that also saw the head chef reply to the community’s concern about possible enforcement action by the U.S. Securities and Exchange Commission (SEC).
The financial regulator had served a subpoena to the Sushi DAO and its CEO to determine whether the Japanese DeFi exchange had violated any federal securities laws.
On April 8, Grey said that to the best of his knowledge, the SEC had not made any conclusions that anyone associated with Sushi had violated U.S. federal securities laws.
On March 21, after the SEC subpoenaed the exchange, Grey submitted a proposal to the Sushi decentralized autonomous organization (DAO) to set up a $3 million legal defence fund in USDT stablecoin to cover all legal costs of possible litigation by the financial watchdog.
This was not the first time SushiSwap had been the target of an exploit. In 2021, a white-hat researcher at crypto-centric venture capital firm Paradigm discovered a bug in the Ethereum-based exchange’s token bidding contract, saving the platform from an exploit that could have cost $350 million in losses if found by a bad actor.
SUSHI, the native token of the decentralized exchange (DEX), dipped by 3% following the exploit. At the time of writing, SUSHI is trading at $1.1 – up over 2% in the last 24 hours.