A critical security flaw has been found in cryptocurrency platform SushiSwap, identified this weekend by security firm PeckShield. The vulnerability concerns the ‘RouterProcessor2’ contract, which is used for routing in SushiSwap.
According to the security firm, the flaw in the contract resulted in the loss of more than $3.3 million (approximately 1800 ETH) from a single user identified as 0xsifu.
“It seems that the SushiSwap contact RouterProcessor2 has an approval-related bug, which led to the loss of over $3.3 million for user 0xSifu”, he said to PeckShield on Twitter.
The bug is related to the feature of checking available permissions to access cryptocurrency wallets. The vulnerability allowed the attacker to extract coins from users’ vaults.
It seems the @SushiSwap RouterProcessor2 contact has a bug related to approval, leading to > $3.3 million loss (about 1800 eth) of @0xSifu.
If you approved https://t.co/E1YvC6VZsP, *RECALL* ASAP!
An example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— Peck Shield Inc. (@peckshield) April 9, 2023
The SushiSwap Router Processor is a smart contract powered by the Ethereum blockchain. Its main function is to identify the optimal method of exchanging one type of cryptocurrency for another. It achieves this by running trades through a series of liquidity pools to obtain the most favorable price for the trade.
Revoke your permissions
SushiSwap lead developer Jared Gray acknowledged the error and urged users to revoke permissions for all contracts on the platform.
“Recovery efforts continue”said Jared Gray, referring to a tweet from MetaSleuth that provided an analysis of the stolen funds.
Recovery efforts are underway: https://t.co/TxpxyJ4Uhj
— Jared Gray (@jaredgrey) April 9, 2023
The glitch appears to have affected users who approved SushiSwap contracts in the past four days. Security teams are working to resolve the issue and track down the stolen funds, with BlockSecTeam participating in recovery efforts.
Meanwhile, DeFi platform users are advised to do so revoke permissions of all SushiSwap contracts to protect your assets.
A developer at DefiLlama said the exploit only appeared to affect users who approved contracts on Sushiswap in the past 4 days.
“Users affected by the sushiswap hack are only those who have used the platform in the past 4 days. If you did, reverse approvals as soon as possible or move your funds in the affected wallet to a new wallet “, he said.
If you are a SushiSwap user, here is a list of contracts that must be revoked immediately.
only users affected by the sushiswap hack should be those who have traded on sushiswap in the last 4 days, if you have done so reverse the approvals ASAP or move your funds in the affected wallet to a new wallet
— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023
The incident made the price of the token Sushi Down nearly 5% in 24 hours, currently trading around $1.03.
The disclosure of the vulnerability comes just days after Sushi’s CEO announced the launch of SushiSwap V3.
In a recent post, he mentioned that the V3 had already scored a significant Total Value Locked (TVL) and hinted at a planned release date for the following week. However, it remains to be seen whether recent events will affect this timeline.
Source: Live Coins
Barry Siefert is an accomplished journalist and author at The Nation View. He is known for his expertise in the field of cryptocurrency, and has written extensively on the topic. With a background in finance and economics, Barry has a deep understanding of the underlying technology and market forces that drive the crypto industry.
