SushiSwap, a decentralized finance (DeFi) protocol, was exploited due to a bug in a smart contract. Users who traded in the past five days may be affected.
Seems @SushiSwap was hacked. 🟥
— Fortizo (@TKatugwa) April 9, 2023
Fear not 🟩
Follow this steps to revoke any contract you might have Interacted and forgotten.https://t.co/SIzdAZk7ZV
On April 9th, reports surfaced about the bug in a SushiSwap feature, which had caused the loss of millions of dollars. Jared Gray, the CEO of SushiSwap, later confirmed an exploit and provided details (thread) on the actions undertaken to address the issue.
The main victim of the exploit, caused by the "approve-related bug" in SushiSwap's RouterProcessor2 contract, became a prominent member of the Crypto Twitter community known as Sifu, from whose wallet was stolen about 1,800 ETH, according to the crypto analytics firm PeckShield.
After a separate investigation, Ancilia, a cybersecurity firm backed by Binance, concluded that the vulnerability resulted from a failure to validate access permissions during a swap transaction. The firm also discovered a vulnerable contract on the Polygon network.
PeckShield and SushiSwap Head Chef Jared Grey recommended revoking the RouterProcessor2 contract on all chains. Here's a detailed tutorial (thread) on that from the @lookonchain. And here, you can find a similar tutorial for Polygon.
According to Ancilia, Inc., the technical root cause "is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00." They also added that "later on in the swap3callback function, the permission check gets bypassed."
In other words, by approving the bad contract, users inadvertently authorize the exploiter to take their tokens through the "yoink" function due to a bug in the "approve" mechanism of the SushiSwap router contract.
"The bug allows an unauthorized entity to essentially "yoink" tokens without the proper approval from the token owner," explains The Block Research Analyst Brad Kay, adding: "Following the first attack for 100 ETH — possibly a white hat — it seems like another hacker came along and stole another 1800-ish ETH using the same contract but instead named their function "notyoink." (Source)
It seems the exploited RouteProcess02 contract has been deployed in multiple chains. @SushiSwap
— PeckShield Inc. (@peckshield) April 9, 2023
Please *REVOKE* the following addresses ASAP.
ETH: 0x044b7..7357
BSC: 0xd75f...6550
POLYGON: 0x5097...649a
AVAX: 0xbace...9c4f
FTM: 0x3e60...c715 https://t.co/nWcI9oydW6 pic.twitter.com/1RVj2TP5C2
Early reports already claimed that the number of SushiSwap users at risk was not too big:
only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet
— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023
The DeFi Llama team also published a list of contracts across all chains that should be revoked across all chains and built a tool to check if any of your addresses have been affected.
According to Block Research Analyst Kevin Peng, the problematic contract has been approved by 190 Ethereum addresses thus far. On Arbitrum, however, over 2000 addresses have approved the bad contract.
🚨 Urgent update regarding Sushiswap's hack
— Sushi.com (@SushiSwapDev) April 9, 2023
All of you are at critical risk of having your wallet's crypto stolen. The only way to protect yourself is to update Sushiswap contracts here: https://t.co/I0yhmom9iq
⬆️ If you do not update, your wallet will 100% get hacked
Sunday morning, SushiSwap CTO Matthew Lilley followed up with some additional details (thread):
If you have another address for where your funds went, then please contact us at security@sushi.com w/ the tx hash and chain you were on. We will continue to update everyone as we gather more information, and appreciate everyone working together with us to amend the situation.
— I'm Software 🦇🔊 (@MatthewLilley) April 9, 2023
Jared Grey, on his turn, reported that more than 300 ETH of Sifu's stolen funds has since been recovered, with another 700 ETH in the process:
The SushiSwap team has also provided a link that traders can use to check their accounts and revoke any permissions if necessary.
💡 To find out if you're vulnerable to the approval of RouteProcessor 2
— Sushi.com (@SushiSwap) April 9, 2023
👉 Use this link to check and revoke if you have tokens approved.
🔓 https://t.co/HUBz9Hi82h
Later on, Sunday the SushiSwap team claimed the exchange is currently up and running and bug-free:
There is no risk at this time with using Sushi Protocol, and the UI. All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do.
— I'm Software 🦇🔊 (@MatthewLilley) April 9, 2023
Previous 5 days, to be safe.
— Jared Grey (@jaredgrey) April 9, 2023
External observers also signaled a resolution of the situation:
To conclude, another educational thread about interacting with DeFi and revoking methods and tools you can use:
