DeFi protocol SushiSwap suffers a $3.3 million exploit due to an approval-related bug in its RouterProcessor2 contract.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
According to blockchain security analytics firm Peckshield, the bug caused the drainage of about 1800 ETH from user @0xsifu.
Sushi’s head developer, Jared Grey, alerted the community to revoke approvals immediately noting that recovery efforts are underway.
Security analytics firm Certik noted multiple users that had approved the contract had their USDC being transferred to another address.
Jared Grey later added that the SushiSwap team secured a large portion of affected funds in a whitehat security process. Grey also confirmed the recovery of more than 300 ETH ($55,766) from CoffeeBabe of user Sifu’s stolen funds.
The team is reportedly now in contact with Lido Finance’s team regarding 700 more ETH drained in the exploit.
DeFiLlama team members 0xngmi tweeted that SushiSwap approvals done in the last two weeks are the most vulnerable to the exploit.
only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet
— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023
“If you did so revert approvals asap or move your funds in affected wallet to a new wallet,” 0xngmi added.
Compiled by Coinbold