Security Flaw in SushiSwap Smart Contract Allows for $3.3M Hack
As per security reports shared on Twitter by CertiK Alert and Peckshield, a bug in the Router Processor 2 contract of the SushiSwap decentralized finance (DeFi) protocol caused losses of more than $3 million on April 9.
This bug pertained to the approval function of the contract, which is responsible for combining trade liquidity from several sources to determine the best coin swapping price. Within a short span, the bug led to a loss of $3.3 million.
Pseudonymous developer 0xngmi from DefiLlama has stated that only those users who conducted swaps through the protocol in the last four days are likely to be affected by the hack.
Jared Grey, the head developer of Sushi, has advised users to withdraw permissions for all contracts on the protocol immediately. To tackle the issue, a GitHub list of contracts using various blockchains has been created to facilitate revocation.
Jared Grey has also mentioned that they are working with security teams to mitigate the impact of the approval bug on Sushi’s RouteProcessor2 contract.
Shortly after the event, Grey used Twitter to inform everyone that a considerable amount of the affected funds had been recovered via a security process that involved ethical hackers.
Specifically, they were able to retrieve over 300 ETH from CoffeeBabe, who had obtained the funds from Sifu’s stolen funds. Grey also mentioned that they were in contact with Lido’s team about 700 more ETH.
Over the weekend of April 8th, the Sushi community experienced a highly intense period. Grey and his legal team provided comments about the recent subpoena from the Securities and Exchange Commission (SEC).
Grey stated that the SEC is currently conducting a non-public investigation to determine if there have been any breaches of the federal securities laws. However, as of that time, the SEC had not made any conclusions that anyone connected with Sushi had violated US federal securities laws. Grey emphasized that he was cooperating with the SEC’s investigation.
It is important to note that on March 21, a legal defense fund was proposed on Sushi’s governance forum in response to the subpoena.