SushiSwap Suffers A $3.3m Exploit Due To An Approval Bug

In the wee hours of April 9, a bug in a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to losses amounting to over $3 million, according to security reports on Twitter from blockchain security firms CertiK Alert and Peckshield.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

The approval function in Sushi's Router Processor 2 contract—a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins—appeared to be at the heart of the unusual activity. The exploit resulted in losses of roughly $3.3 million within a few hours.

DefiLlama pseudonymous developer 0xngmi suggested that only users who had swapped in the protocol during the past four days should be affected by the hack.

Sushi's lead developer (head chef), Jared Grey, urged users to revoke permissions for all contracts on the protocol, stating, "Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue.” A list of contracts on GitHub with different blockchains requiring revocation was promptly created to address the problem.

Decentralized exchanges (DEXs) have revolutionized the way people trade cryptocurrencies, allowing for peer-to-peer transactions without intermediaries like banks or centralized exchanges. However, DEXs are not without their risks, and one of the primary concerns is the vulnerability of smart contracts, which govern the transactions within these exchanges.

Smart contracts are self-executing contracts with the terms of the agreement directly written into code. They are designed to automatically execute, control, or document events and actions according to the terms of the contract. While smart contracts aim to increase transparency, efficiency, and trust, their complex nature and reliance on code can lead to vulnerabilities.

Hours after the incident, Grey announced via Twitter that a "large portion of affected funds" had been recovered through a white hat security process. Grey confirmed the recovery of more than 300 ETH from CoffeeBabe of Sifu's stolen funds and mentioned being in contact with Lido's team regarding the recovery of an additional 700 ETH.

This incident comes on the heels of an intense weekend for the Sushi community, as Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission (SEC) on April 8. The subpoena was handed down in March 21st.

"The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated.

In October 27, SushiSwap restructured its DAO to avoid legal troubles. Pending the investigations with the SEC, Grey claims to be cooperating with the investigation, and a legal defense fund in response to the subpoena was proposed on Sushi's governance forum.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.