SushiSwap hacked for over $3.3m, approval smart contract on Ethereum exploited
Decentralized exchange SushiSwap was on April 9 hacked for more than $3.3m. It follows a bug in the approval system of the exchange’s RouterProcessor2 contract on Ethereum.
The exploit led to the loss of more than 1,800 ethereum (ETH). Following the hack, SushiSwap’s Head Chef, Jared Grey, is advising affected users to revoke contracts.
SushiSwap contract compromised
Peckshield, a blockchain security firm, reported a data breach on the SushiSwap system occasioned by an approve-related bug that has seen a loss of over 1,800 ETH translating to $3.3m.
The bug targeted the RouterProcessor2 contract responsible for trade routing services on SushiSwap.
According to Peckshield, the exploit targeted numerous chains where the affected smart contract operates, including Ethereum, Avalanche, Fantom, and Binance Smart Chain (BSC).
All the compromised addresses were recorded, and owners were advised to invalidate contract approvals as soon as possible.
SushiSwap’s Head Chef, Jared Grey, admitted to the breach in the system and noted that the exchange had deployed security personnel to diminish the hack.
He added that the team had not yet established the number of users affected but guaranteed customers that only those exposed to the compromised contract were in danger.
SushiSwap users under threat
The hack affected users who transacted on SushiSwap in the last four days. Affected users were advised to transfer money to new wallets or cancel the approvals.
Reports from Twitter indicate that there is a possibility that the $3.3 million lost was from a solitary customer @0xsifu, a prominent crypto enthusiast in Crypto Twitter.
Security teams respond
Smart Contract Audit company, BlockSec, revealed that they knew about the security breach on SushiSwap and had estimated likely dangers before announcing it.
The company noted that its priority was to secure users’ assets, and they had already salvaged multiple assets whose details would be revealed to the public in later stages.
The firm further claimed that they had already recovered 100 Ether, amounting to $180,000, from the attacker and requested the compromised contract’s owner to contact them for compensation.
