SushiSwap Approval Bug Leads to $3.3M Exploit

Related articles


A bug in a smart contract on decentralized finance (DeFi) protocol SushiSwap resulted in more than $3 million in losses in the early hours of April 9, according to multiple security reports on Twitter.

Blockchain security firms Certik Alert and Peckshield published an article about unusual activity related to the approval function in Sushi’s Router Processor 2 contract – a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price to trade coins. Within hours, the bug resulted in losses of $3.3 million.

According for pseudonymous developer DefiLlama 0xngmi, the hack should only affect users who have traded the protocol in the past four days.

Sushi lead developer Jared Gray has urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke the approval as soon as possible. We are working with security teams to mitigate the issue,” he noted. A list contracts on GitHub with different blockchains requiring revocation have been created to solve the problem.

Hours after the incident, Gray took to Twitter to announce that a “large portion of the affected funds” had been recovered through a whitehat security process. “We have confirmed the recovery of over 300 ETH of stolen funds from CoffeeBabe of Sifu. We are in contact with the Lido team regarding an additional 700 ETH.”

The Sushi community had an intense weekend. On April 8, Gray and his attorney commented on the recent U.S. Securities and Exchange Commission (SEC) subpoena.

“The SEC investigation is a non-public investigative investigation into whether there have been violations of federal securities laws. To our knowledge, the SEC has not (at the time of writing of this article) reached conclusions that anyone affiliated with Sushi has violated U.S. federal securities laws,” he said.

Gray claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

Magazine: Crypto Audits and Bug Bounties Are Broken: Here’s How to Fix Them