SushiSwap hacked for over $3.3m, approval smart contract on Ethereum exploited

Decentralized exchange SushiSwap was on April 9 hacked for more than $3.3m. It follows a bug in the approval system of the exchange’s RouterProcessor2 contract on Ethereum.

The exploit led to the loss of more than 1,800 ethereum (ETH). Following the hack, SushiSwap’s Head Chef, Jared Grey, is advising affected users to revoke contracts.

SushiSwap contract compromised

Peckshield, a blockchain security firm, reported a data breach on the SushiSwap system occasioned by an approve-related bug that has seen a loss of over 1,800 ETH translating to $3.3m.

The bug targeted the RouterProcessor2 contract responsible for trade routing services on SushiSwap.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

According to Peckshield, the exploit targeted numerous chains where the affected smart contract operates, including Ethereum, Avalanche, Fantom, and Binance Smart Chain (BSC).

All the compromised addresses were recorded, and owners were advised to invalidate contract approvals as soon as possible.

SushiSwap’s Head Chef, Jared Grey, admitted to the breach in the system and noted that the exchange had deployed security personnel to diminish the hack. 

He added that the team had not yet established the number of users affected but guaranteed customers that only those exposed to the compromised contract were in danger.

Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4

— Jared Grey (@jaredgrey) April 9, 2023

SushiSwap users under threat

The hack affected users who transacted on SushiSwap in the last four days. Affected users were advised to transfer money to new wallets or cancel the approvals.

only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet

— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023

Reports from Twitter indicate that there is a possibility that the $3.3 million lost was from a solitary customer @0xsifu, a prominent crypto enthusiast in Crypto Twitter.

Security teams respond

Smart Contract Audit company, BlockSec, revealed that they knew about the security breach on SushiSwap and had estimated likely dangers before announcing it.

The company noted that its priority was to secure users’ assets, and they had already salvaged multiple assets whose details would be revealed to the public in later stages.

The firm further claimed that they had already recovered 100 Ether, amounting to $180,000, from the attacker and requested the compromised contract’s owner to contact them for compensation.