SushiSwap, a popular decentralized exchange, has experienced an exploit that led to a loss of over $3.3 million for at least one user, identified as 0xSifu on Twitter.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
The exploit originates from an approve-related bug in the RouterProcessor2 contract, and both PeckShield and SushiSwap Head Chef Jared Grey have advised users to revoke the contract across all chains.
Additionally, from Peckshield, revoke all chains:https://t.co/GcCuY0OEb5
— Jared Grey (@jaredgrey) April 9, 2023
The root cause of the exploit, as identified by cybersecurity company Ancilia, Inc., is a flaw in the internal swap() function of the SushiSwap contract. When executed, this function calls the swapUniV3() function, which sets the “lastCalledPool” variable at storage slot 0x00. As a result, the permission check is bypassed in the subsequent swap3callback function.
This malfunction in the “approve” mechanism allows unauthorized parties to seize users’ tokens without obtaining the necessary approval, a process informally referred to as “yoinking.”
According to Brad Kay, a research analyst at The Block, an attacker first exploited the “yoink” function and stole 100 ETH and could have been a white hat hacker. Following this, another hacker managed to steal around 1800 ETH using the same contract but with a function named “notyoink.”
Despite the significant loss, early reports suggest that only a limited number of SushiSwap users are at risk.
DeFi Llama’s @0xngmi claims that only those who swapped on SushiSwap within the last four days should be affected. The platform has published a list of contracts across all chains that should be revoked and created a tool to check if any user addresses have been impacted.
Kevin Peng, another research analyst at The Block, estimates that 190 Ethereum addresses and over 2000 Layer 2 Arbitrum addresses have approved the problematic contract. Despite the exploit, the price of Sushi’s governance token experienced only a slight 0.6% decline within an hour of the news becoming public.
In the wake of the exploit, Grey, who is also seeking a $3 million legal defense fund from Sushi DAO after the platform was hit with a subpoena from the U.S. Securities and Exchange Commission, announced that SushiSwap is “working with security teams to mitigate the issue.”
Users are urged to follow the recommendations from PeckShield and Grey to protect their assets.