The decentralized exchange (DEX) SushiSwap has been hit by a bug. Initially, 2.7 million euros in crypto was lost due to the bug. Blockchain security researcher PeckShield reports this on Twitter.
SushiSwap on Ethereum and other chains hit
More precisely, it concerns the RouterProcessor2 smart contract. Due to an error in the code, 2.7 million euros could be captured. The team behind SushiSwap immediately took action to prevent more damage.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsPplease *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
—PeckShield Inc. (@peckshield) April 9, 2023
Due to the fact that the smart contract in question has been launched on multiple blockchains, users who have used SushiSwap on Ethereum (ETH), BNB Chain, Polygon (MATIC), Avalanche (AVAX) and Fantrom (FTM) must obtain their consent.revoke‘. This way, malicious parties cannot abuse the bug to empty wallets. As it stands, only users who have used SushiSwap to swap tokens in the past four days are at risk.
If you belong to this group, you will find here’s an extensive list with revoke links per blockchain.
Big action going on to rescue stolen crypto
At the moment the SushiSwap community is busy limiting the damage as much as possible. In addition to urging users to revoke their wallet access to the affected smart contract, multiple parties are working together to recover the stolen crypto.
By tracking the stolen crypto, part of the stolen funds could be saved. For example, one of the attackers is said to have returned 90 of the 100 stolen ETH. In addition, the team is in talks with parties such as Lido Finance, where part of the loot ended up.
. @SushiSwap RouteProcessor2 was attacked, and sifuvision.eth @0xSifu lost 1800 ETH due to this. We tracked the stolen funds and presented them as follows.
The first attacker (0x9deff) has returned 90 ETH (or 100 stolen). BlockSec rescued 100 ETH and will return it shortly. The… https://t.co/sMqzNiDL5p pic.twitter.com/kGrt9cifIS— MetaSleuth (@MetaSleuth) April 9, 2023
The bug comes at a painful time for SushiSwap. It recently became known that the decentralized finance (DeFi) platform is under investigation by the US Securities and Exchange Commission (SEC). Certain leading figures within SushiSwap received a subpoena from the regulator. It is unclear what exactly the investigation is about.