Exclusive: Hacker behind SushiSwap’s preemptive Sifu hack explained how it was done
In an exclusive interview with crypto.news, pseudonymous white-hat hacker known as Trust has shared crucial details regarding a recent hack that took advantage of a vulnerability in the RouteProcessor2 contract.
Trust was able to save a significant amount of users’ funds by performing a preemptive April 10 hack on the funds held by Sifu, only to return those funds after moving them to safety.
Unfortunately, malicious actors were able to imitate the attack and exploit the vulnerability against other holders.
SushiSwap hit by advanced attack
Trust explained that the RouteProcessor2 contract, deployed just four days ago, is designed to oversee various types of token SushiSwap (SUSHI) swaps. Users pre-approve the contract to spend their ERC20 tokens, and then call the swap() function to execute the swap.
However, the contract interacts with UniswapV3 pools in an unsafe manner, as it completely trusts the user-supplied “pool” address.
The oversight allows a bad pool to provide false information to the contract about the source and amount of a transfer, enabling any user to fake a swap and gain access to another user’s entire approved amount.
Trust stated that this vulnerability should have been detected by any reasonable audit firm, raising concerns about the maturity of the production codebase.
The hacker also mentioned the presence of highly sophisticated bots that replicated their fund-saving transaction to instead steal assets, emphasizing the extensive resources and capabilities of these bots, known as miner extractable value (MEV) bots.
Trust chose to perform the preemptive hack for several reasons.
First, he had submitted a full vulnerability report one and a half hours before the hack but received no reply.
Second, he was afraid that the development team might not be available during the weekend.
Third, they knew the contract couldn’t be fixed and could only be hacked or have user approvals revoked.
Finally, they prioritized saving a single address holding the majority of the funds at risk, Sifu’s address. Trust also did not anticipate the complexity of MEV bots in the situation.
In light of these revelations, it is crucial for the crypto community to reassess security practices and prioritize thorough audits of smart contracts to prevent such vulnerabilities from being exploited.
Trust’s actions demonstrate the importance of white-hat hackers in the ecosystem, working to protect users’ funds and improve overall security.