According to several security reports, SushiSwap lost about $3.3 million due to a bug that occurred on April 9. Only those who used the protocol in the last four days are affected.
Blockchain security analysts PeckShield and CertiK Alert have reported unusual activity related to approval failure of a smart contract on the decentralized finance protocol SushiSwap, which aggregates trade liquidity from multiple sources and determines the most favorable price for exchanging coins. The reported bug led to the exploitation of $3.3 million worth of Ethereum from a single user’s account, SushiSwap community member Sifu:
A separate analysis of the cause of the exploit by cybersecurity firm Ancilia found that the bug was due to the fact that access permissions were not validated during the middle of a swap transaction. Additionally, the firm identified the specific contract on the Polygon network that was exposed to the vulnerability:
DefiLlama developer 0xngmi has stated that the hack probably only affects those users who have performed swaps via the protocol within the last four days:
Sushi’s head developer, Jared Grey, confirmed the bug and asked users to revoke permissions for all contracts on the protocol. He also stated that the team will provide a “thorough post-mortem of the development process leading up to the exploit and the events that unfolded post-exploit,” and that a great deal of the funds was already recovered.
SushiSwap CTO Matthew Lilley later added:
We’re currently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available.
Lilley provided a tool to assist users in verifying whether they had given RouterProcessor2 access to their funds. The tool can check for potential exposure on numerous networks, such as Ethereum, Polygon, Avalanche, Arbitrum, Gnosis, Optimism, and others.