Only individuals who have traded on the decentralized exchange during the past four days appear to be impacted.
According to various security warnings on Twitter, a bug in a smart contract on the decentralized finance (DeFi) protocol SushiSwap resulted in over $3 million in losses in the early hours of April 9.
CertiK Alert and Peckshield, two blockchain security firms, published information regarding an abnormal activity related to the approval function in Sushi’s Router Processor 2 contract, a smart contract that gathers trading liquidity from many sources and determines the best price for exchanging coins. The bug quickly resulted in losses of $3.3 million.
Also Read: Hedera Exploit: Smart Contract Code Targeted by Attackers
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
The exploit should only impact customers who switched to the protocol during the last four days, according to DefiLlama’s anonymous developer 0xngmi.
Jared Grey, the chief developer of Sushi, asked users to cancel authorization for any contract on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke the approval immediately.” He said we’re working with security teams to mitigate the issue. To solve the problem, a list of contracts with revocation requirements across various blockchains has been compiled on GitHub.
We've secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact security@sushi.com for next steps.
— Jared Grey (@jaredgrey) April 9, 2023
A “large portion of affected funds” had been retrieved via a white hat security process, Grey tweeted hours after the incident. “We can now confirm that CoffeeBabe recovered more than 300ETH of Sifu’s stolen funds. Regarding the additional 700 ETH, we are in touch with Lido’s team.
The weekend was very demanding for the sushi community. On April 8, Grey and his counsel made a statement regarding the most recent subpoena from the US Securities and Exchange Commission.
“The SEC is conducting a non-public fact-finding investigation to see whether any violations of the federal securities laws have occurred. To the best of our knowledge, the SEC has not determined that anyone associated with Sushi violated any US federal securities laws (as of this writing),” he said. Grey asserts that he is helping with the inquiry. On March 21, a proposal for a legal defence fund in response to the subpoena appeared on Sushi’s governance forum.