SushiSwap smart contract bug leads to $3.3 million exploit

1 year ago 79
SushiSwap smart contract bug leads to $3.3 million exploit

According to several security reports, SushiSwap lost about $3.3 million due to a bug that occurred on April 9. Only those who used the protocol in the last four days are affected.

Blockchain security analysts PeckShield and CertiK Alert have reported unusual activity related to approval failure of a smart contract on the decentralized finance protocol SushiSwap, which aggregates trade liquidity from multiple sources and determines the most favorable price for exchanging coins. The reported bug led to the exploitation of $3.3 million worth of Ethereum from a single user’s account, SushiSwap community member Sifu:

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

A separate analysis of the cause of the exploit by cybersecurity firm Ancilia found that the bug was due to the fact that access permissions were not validated during the middle of a swap transaction. Additionally, the firm identified the specific contract on the Polygon network that was exposed to the vulnerability:

3/ Root cause is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed. pic.twitter.com/LN0Ppsob9a

— Ancilia, Inc. (@AnciliaInc) April 9, 2023


DefiLlama developer 0xngmi has stated that the hack probably only affects those users who have performed swaps via the protocol within the last four days:

only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet

— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023

Sushi’s head developer, Jared Grey, confirmed the bug and asked users to revoke permissions for all contracts on the protocol. He also stated that the team will provide a “thorough post-mortem of the development process leading up to the exploit and the events that unfolded post-exploit,” and that a great deal of the funds was already recovered.

We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's team regarding 700 more ETH.

— Jared Grey (@jaredgrey) April 9, 2023

SushiSwap CTO Matthew Lilley later added:

We’re currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available.

There is no risk at this time with using Sushi Protocol, and the UI. All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do.

— I'm Software 🦇🔊 (@MatthewLilley) April 9, 2023

Lilley provided a tool to assist users in verifying whether they had given RouterProcessor2 access to their funds. The tool can check for potential exposure on numerous networks, such as Ethereum, Polygon, Avalanche, Arbitrum, Gnosis, Optimism, and others.

Read Entire Article