Hacking worth 400 million yen on decentralized exchange SushiSwap

Some of the illegal outflow funds have already been recovered

Blockchain security company PeckShield announced on the 9th that funds were illegally leaked from the decentralized crypto asset (virtual currency) exchange SushiSwap (SUSHI). The SushiSwap team is now recovering some of them.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

According to PeckShield, at least one account may have lost about 440 million yen ($3.3 million) due to a bug related to Approve in the RouterProcessor2 contract.

Jared Gray, head of PeckShield and SushiSwap, urged people to “revoke” the transaction immediately, as their digital assets (funds) could be stolen if they approve the transaction.

connection:Explanation of points to note when using Web3 wallet Metamask

The contract called RouterProcessor2 has been deployed on multiple chains such as Ethereum (ETH), BNB chain (BSC), Polygon (MATIC), Avalanche (AVAX), and Phantom (FTM). Shape.

only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet

— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023

0xngmi, developer of DeFi Llama, which provides data and aggregators for DeFi (decentralized finance), said:

On some chains, the contract in question has been deployed for up to two weeks. It’s safest to assume that all contract approvals on Sushiswap over the past two weeks are at risk.

It is recommended to revoke the approval of the contract in question or move the funds from the wallet concerned to another wallet. 0xngmi also provided a list of contracts that should be revoked.

Some positive news following the RouteProcessor 2 approval bug.

Sushi’s secured a large portion of affected funds in a whitehat security process.

If you performed a recovery please contact [email protected] for next steps.

—Sushi.com (@SushiSwap) April 9, 2023

SushiSwap later announced that it had successfully recovered a large portion of the stolen funds through white hat security processes. Jared Gray also confirmed that he has recovered 300 Ethereum.

Gray went on to say that he has reached out to Lido Finance, a liquid staking protocol that also partners with SushiSwap, and is working to get back another 700 Ethereum.

Mechanisms to approve malicious contracts

3/ Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed. pic.twitter.com/LN0Ppsob9a

—Ancilia, Inc. (@AnciliaInc) April 9, 2023

This time, funds are believed to have been illegally withdrawn by a malicious hacker who used a bug. According to Web3 cybersecurity company Ancilis, the SushiSwap router contract seems to have had a bug related to authorization.

This allowed hackers to force ordinary users to approve malicious contracts and steal their funds.

To date, 190 Ethereum addresses have approved the problematic contract, according to Kevin Peng, a research analyst at cryptocurrency publication The Block. Additionally, more than 2,000 addresses are believed to have approved the contract on Ethereum’s Layer 2 project, Arbitrum (ARB).

What is DeFi (decentralized finance)?

Refers to financial services or systems that utilize blockchain and are performed in the absence of a central administrator. Abbreviation for “Decentralized Finance.” DeFi financial services include stablecoin issuance, currency lending, and cryptocurrency exchanges. Many platforms use the Ethereum blockchain.

Cryptocurrency Glossary