Sunday, May 28, 2023
Home News Blockchain SushiSwap approval bug leads to $3.3M exploit

SushiSwap approval bug leads to $3.3M exploit


Only users who have traded on the decentralized exchange in the last four days are apparently affected.


Own this piece of history

Collect this article as an NFT

Join us on social networks

A bug on a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to over $3 million in losses in the early hours of April 9, according to several security reports on Twitter.

Blockchain security companies Certik Alert and Peckshield posted about an unusual activity related to the approval function in Sushi’s Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved, please *REVOKE* ASAP!

One example hack tx:

— PeckShield Inc. (@peckshield)

April 9, 2023

According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

Sushi’s head developer Jared Grey urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he noted. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.

— Jared Grey (@jaredgrey)

April 9, 2023

Hours after the incident, Grey took to Twitter to announce that a “large portion of affected funds” had been recovered through a whitehat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

The Sushi’s community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission (SEC).

“The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated.

Grey claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

Hodler’s Digest, April 2-8: BTC white paper hidden on macOS, Binance loses AUS license and DOGE news


Post Disclaimer

The information provided in our posts or blogs are for educational and informative purposes only. We do not guarantee the accuracy, completeness or suitability of the information. We do not provide financial or investment advice. Readers should always seek professional advice before making any financial or investment decisions based on the information provided in our content. We will not be held responsible for any losses, damages or consequences that may arise from relying on the information provided in our content.


Please enter your comment!
Please enter your name here