Decentralized exchange SushiSwap recently suffered an exploit, leading to the loss of over $3.3 million from at least one user.
The exploit is related to an approve-related bug on the RouterProcessor2 contract, which has been recommended to be revoked on all chains by cybersecurity firms PeckShield and Ancilia, Inc., as well as SushiSwap Head Chef Jared Grey. The root cause of the exploit, according to Ancilia, Inc., is due to a flaw in the internal swap() function.
This exploit involves allowing an unauthorized entity to “yoink” tokens without the proper approval from the token owner by approving a bad contract. In this case, the “yoink” function was used by the first attacker, who made away with 100 ETH, followed by another hacker who stole around 1800 ETH using the same contract, but with a different function name, “notyoink.”
Reports suggest that not too many SushiSwap users are at risk, with DeFi Llama’s @0xngmi claiming that only those who swapped on SushiSwap within the last four days should be affected. However, 190 Ethereum addresses have approved the problematic contract, and more than 2000 addresses on Layer 2 Arbitrum have seemingly approved it as well.
Despite the news, the price of Sushi’s governance token fell by only 0.6% in the hour since the incident broke. SushiSwap Head Chef Jared Grey tweeted that they are “working with security teams to mitigate the issue” and are seeking a $3 million legal defense fund from Sushi DAO after the exchange was subpoenaed by the U.S. Securities and Exchange Commission.
This incident serves as a reminder of the importance of regularly checking contracts and addressing vulnerabilities promptly to prevent significant losses for users. It also highlights the need for security measures to protect users from such exploits in the decentralized finance (DeFi) space, which has seen a significant rise in popularity in recent years. As the DeFi industry continues to grow, so does the need for improved security measures to ensure the safety of users’ funds.
