Decentralized exchange (DEX) SushiSwap is the latest victim of a DeFi exploit causing at least $3.3 million in losses for one user.
Blockchain security firm Peckshield reported that the exploit was caused by an approve-related bug in its RouterProcessor2 contract. To prevent losses, the firm recommended that users revoke permission to the contract.
Peckshield added that the exploited contract was deployed on several chains, including Ethereum, BSC, Polygon, Fantom, Avalanche, etc.
SushiSwap Confirms Exploit
SushiSwap’s Head Chef, Jared Grey, confirmed the incident and advised users to revoke all chains. He added that the protocol was working with security teams to mitigate the issue.
It is uncertain how many people were affected by the hack. But Peckshield has identified at least one user, OxSifu. The popular DeFi personality lost about 1,800 ETH worth $3.3 million to the exploit.
One white hat hacker who discovered the bug initially took 100 ETH from the OxSifu wallet, likely to highlight the bug. But others quickly deployed the contract and started copying the attack. Other users have also begun confirming that they lost their funds.
How Was SushiSwap Exploited?
Cybersecurity firm Ancilla gave a technical explanation of what happened. The firm wrote:
“Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed.”
According to DeFillama developer 0xngmi, the users likely to be affected are those approved on SushiSwap over the last two weeks, as the contract has been deployed on some chains for up to 2 weeks. Thus, the safest decision would be to revoke all approvals.
Some developers have also built a tool allowing users to search their addresses and see if they are impacted.
Furthermore, the exploit highlights the multiple issues of the DeFi ecosystem, even in what has been a relatively quiet year for hacks and exploits. One user captured the frustration with a tweet saying, “Honestly just take my tokens. This is exhausting.”
SUSHI Tanks 6%
Following news of the exploit, the SUSHI token is down 6% in the last 24 hours to $1.07 at the time of writing, according to BeInCrypto data.
Earlier in the week, Grey pointed out that the DEX’s cross-chain swap (xSwap) was seeing significant volume increases.
BeInCrypto reported that the DeFi platform’s decentralized autonomous organization (DAO) was recently targeted by the United States Securities and Exchange Commission (SEC). According to the report, the DAO is setting up a legal defense fund to cover legal costs for core contributors.
Disclaimer
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Source: https://beincrypto.com/sushiswap-exploit-sushi-tanks-6/