SushiSwap Exchange Suffers Major Hack-What Happened?

As a result of a hacker taking advantage of a flaw in a smart contract, the popular decentralized exchange (DEX) platform SushiSwap has sustained damages of more than $3.3 million.

To be more exact, the DEX witnessed the exploitation of its RouteProcess02 contract, which is a smart contract that collects trade liquidity from different sources and identifies the most advantageous price for exchanging coins. This attack was then propagated throughout a variety of blockchain networks.

In a tweet, the crypto security firm Ancilia explained that the “Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool,” which is located at storage slot 0x00.” “The permission check is skipped later on in the swap3callback function,” the passage reads.

The pseudonymous DefiLlama coder known as 0xngmi speculated that the exploit should only affect users who have swapped in the protocol within the previous four days.

“The only users who should have been affected by the Sushiswap hack are the ones who have switched on Sushiswap over the past four days. If you went ahead and accomplished that, “revert approvals as soon as possible or move your funds in the affected wallet to a new wallet,” 0xngmi tweeted.

At this point, the attack has been successful in exploiting at least one user’s account. Reportedly, the victim, who goes by the name Sifu and is well-known in the cryptocurrency community, lost 1,800 ETH, which is equivalent to approximately $3.3 million.

In the meantime, Jared Grey, the principal developer of Sushi, has asked users to cancel rights for all contracts on the protocol, saying that “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval as soon as possible.”

In addition to this, he addressed the issue by compiling a list of contracts on GitHub that were hosted on a variety of blockchains and required revocation. It is important to note that the susceptible contract is also used on Polygon, which is a well-known Ethereum layer-2 solution.

SushiSwap Recovers a “Large Portion” of Stolen Funds

Through the implementation of a whitehat security procedure, the SushiSwap team was able to successfully retrieve a sizeable percentage of the money that had been taken.

Through the use of a white hat security methodology, we have protected a significant percentage of the monies that were compromised. On April 9 at 9:42 a.m. Eastern Time, Grey said, “If you have performed a whitehat recovery, please contact security@sushi.com for next steps.”

“We have confirmed that more than 300 ETH worth of Coffeebabe of Sifu’s stolen monies has been recovered. Regarding the additional 700 ETH, we are in communication with Lido’s team.

Matthew Lilley, the CTO of Sushiswap, followed up with a statement later in the day stating that there are currently no problems associated with making use of the Sushiswap dex platform. He went on to say that “all exposure to RouterProcessor2 has been removed from the front end,” and that it is now safe to engage in “any LPing or current swap activity.”

The new hack comes on the heels of rising regulatory scrutiny being placed on the DEX, as both Sushi DAO and Grey have been served with a subpoena by the United States Securities and Exchange Commission.

The subpoena was published by the organization on March 21 in the form of a proposal that was sent to the Sushi DAO requesting the establishment of a legal defense fund to pay potential legal fees.

An official statement regarding the subpoena was published by Grey over the weekend. In it, the company claimed that “the SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws.”

To the best of our knowledge (as of the time of this writing), the SEC has not reached any findings that anyone linked with Sushi has violated the federal securities laws of the United States.

Sushiswap Sushiswap DEX SushiSwap Exchange SushiSwap hack