SushiSwap, a decentralized exchange, has recently fallen victim to an exploit that led to the loss of over $3.3 million from at least one user. According to reports, the exploit involved an approve-related bug on the RouterProcessor2 contract, which allowed an unauthorized entity to steal tokens by using the “approve” mechanism. The cybersecurity community has warned that the exploit can be used by hackers to steal tokens from unsuspecting users, which is known as “yoinking” in the crypto community.
To address the issue, PeckShield and SushiSwap Head Chef Jared Grey recommend revoking the RouterProcessor2 contract on all chains. The root cause, as explained by Ancilia, Inc., was due to the fact that the internal swap() function called swapUniV3() to set a variable called “lastCalledPool,” which was located at storage slot 0x00. Later on, in the swap3callback function, the permission check gets bypassed, which allowed the unauthorized entity to steal tokens from users.
Following the first attack for 100 ETH, it seems that another hacker came along and stole another 1800-ish ETH using the same contract but instead named their function “notyoink.” The Block Research Analyst Brad Kay explains that the bug allowed an unauthorized entity to essentially “yoink” tokens without the proper approval from the token owner.
Early reports claim that not too many SushiSwap users are currently at risk. DeFi Llama’s @0xngmi claims that only those who swapped on SushiSwap within the last four days should be affected. They have also published a list of contracts across all chains that should be revoked and built a tool to check if any of your addresses have been impacted. The Block Research Analyst Kevin Peng explains that, so far, 190 Ethereum addresses have approved the problematic contract. However, more than 2000 addresses on Layer 2 Arbitrum have seemingly approved the bad contract.
The price of Sushi’s governance token fell by only 0.6% in the hour since the news broke. Jared Grey, who is also seeking a $3 million legal defense fund from Sushi DAO after Sushi was hit with a subpoena from the U.S. Securities and Exchange Commission, tweeted that Sushi is “working with security teams to mitigate the issue.” The cybersecurity community has advised SushiSwap users to remain cautious and to take necessary precautions to protect their assets.
