SushiSwap Falls Victim to $3.3 Million Exploit. What Happened?
Ethereum-based decentralized exchange SushiSwap suffered a hack resulting in over $3.3 million loss on Saturday
Blockchain security firm PeckShield was the first to identify and report the critical vulnerability in SushiSwap's approval function involving the RouterProcessor2 contract, which is a smart contract that aggregates trade liquidity from various dapps and determines the best price for swapping tokens. This security breach resulted in an exploit that drained 1,800 ETH from a single user known as @0xSifu on Twitter. The company advised users to revoke permission to the contract as a measure to prevent losses.
SushiSwap Head Chef Jared Grey has confirmed the bug and also urged users to revoke permissions for all contracts on SushiSwap and provided a list of contracts on GitHub requiring revocation to address the problem.
Binance-backed cybersecurity firm Ancilia also analyzed the vulnerability and found the issue was the failure to validate access permissions halfway through a swap transaction. Ancilia also identified the vulnerable contract on the Polygon network.
A few hours after the hack, Jared Grey announced the recovery of a "large portion of affected funds". According to Grey, more than 300 ETH of Sifu's stolen tokens has been recovered, while another 700 ETH are in process.
According to DefiLlama developer 0xngmi, the hack only impacted users who approved SushiSwap contracts within the last four days. 0xngmi published a list of contracts across all chains that should be revoked and built a tool to check if any of the user's addresses have been impacted.
Despite this incident, the price of SushiSwap's native token SUSHI has not been affected significantly losing about 4% within 24 hours since the exploit but quickly rebounding to its usual price range and currently trading at around $1,1.
Source and Copyright: ©TradingView
