Over the weekend, SushiSwap suffered a major security breach when a bug in its RouterProcessor2 contract was exploited, leading to the theft of approximately $3.3 million worth of Ethereum ETH/USD from a user's wallet.
PeckShield, a blockchain security and data analytics company, confirmed that the "approve-related bug" in the contract allowed the attacker to steal 1,800 ETH from the victim's wallet.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
— PeckShield Inc. (@peckshield) April 9, 2023
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
Binance-backed BNB/USD cybersecurity firm Ancilia conducted a separate analysis and found that the flaw resulted from a failure to validate access permissions during a swap transaction.
3/ Root cause is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed. pic.twitter.com/LN0Ppsob9a
— Ancilia, Inc. (@AnciliaInc) April 9, 2023
The vulnerable contract was also discovered on the Polygon network.
Also Read: BRICS Currency Game-Changer: Impact Of Financial Earthquake On Global Economic Dynamics
Jared Grey, SushiSwap's "head chef," confirmed the bug and urged users who had interacted with the blockchain to revoke all permissions granted to the exchange's contracts.
CTO Matthew Lilley also followed up with more details, stating that the company was identifying all affected addresses and working to rescue funds as they become available.
Lilley also provided a tool to help users check for exposure across various networks.
Despite the hack, the price of SushiSwap's SUSHI/USD token has only dropped slightly in the past 24 hours.
It is worth noting that SushiSwap narrowly avoided a major hack earlier this year when a "white hat" crypto researcher discovered a bidding bug that could have resulted in a loss of $350 million.
Read Next: DOGE's Dramatic Dive After Twitter Logo Reversal: Has The Meme Coin Bubble Burst?
Photo: Shutterstock
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Comments
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
