SushiSwap authorization bug leads to $3.3M loss to crypto theft

A bug in the authorization process of SushiSwap has resulted in an exploit that led to the theft of $3.3 million worth of cryptocurrencies. Blockchain security firms Certik Alert and Peckshield discovered the error on April 9 night, which led to a significant loss of funds within hours.

As a result of the exploit, the hackers could steal $3.3 million from the liquidity pool. The attack caused an unrecoverable loss for the liquidity providers in the pool, as the stolen funds could not be recovered.

According to reports by Certik Alert and Peckshield, the exploit in SushiSwap occurred due to a vulnerability in the authorization process of the platform’s smart contract, specifically in Sushi’s Router Processor 2 contract.

The Router Processor 2 contract is a smart contract in the SushiSwap decentralized finance (DeFi) protocol. It is a crucial component of the platform’s automated market maker (AMM) system, aggregating trading liquidity from multiple sources and determining the lowest price to exchange cryptocurrencies. The Router Processor 2 contract is responsible for routing trades to the best available liquidity pool and managing the token swaps.

The vulnerability was related to the transaction approval mechanism, which is required to execute certain actions on the platform, such as adding or removing liquidity from a pool.

We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's team regarding 700 more ETH.

— Jared Grey (@jaredgrey) April 9, 2023

Hackers took advantage of this vulnerability to extract funds from a liquidity pool on SushiSwap. They could do so by tricking the smart contract into thinking they had the necessary authorization to execute the transaction, even though they did not.

SushiSwap chief developer Jared Grey advised users to revoke permissions on the protocol’s contracts to prevent further damage. He also confirmed that a large portion of the funds had been recovered through a whitehat security process.

In addition to the security breach, SushiSwap is also dealing with a subpoena from the US Securities and Exchange Commission (SEC) regarding potential violations of federal securities laws. Grey said SushiSwap would be cooperating with the investigation.

“The SEC investigation is a private, fact-finding inquiry looking to find out whether or not there have been any violations of federal securities legal guidelines. To the most effective of our data, the SEC has not concluded that anybody related to Sushi has violated the securities legal guidelines of the US,” Grey said.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.

If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!

One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

— PeckShield Inc. (@peckshield) April 9, 2023

More on SushiSwap

SushiSwap is a crypto exchange that runs on the Ethereum network. It is a fork of Uniswap, which is another popular-decentralized exchange. The anonymous developer Chef Nomi created SushiSwap in August 2020.

SushiSwap allows cryptocurrency trading without a centralized intermediary. Instead, users can trade directly using smart contracts on the Ethereum blockchain. This eliminates the need for a centralized exchange to hold custody of users’ funds, which can be a security risk.

SushiSwap also features liquidity pools, which are pools of funds that users can contribute to in exchange for a share of the pool’s trading fees. This allows users to earn a passive income by providing liquidity to the platform.

One of SushiSwap’s unique features is its native cryptocurrency, SUSHI. Users who hold SUSHI can participate in governance decisions for the platform, such as proposing and voting on changes to the platform’s code.

Despite all this, the incident could erode users’ trust in the reliability and security of the DeFi platform, potentially leading to a decline in usage and liquidity. The indirect effects of the SushiSwap exploit could include increased scrutiny and regulation of the DeFi space as a whole, as incidents like this highlight the risks and challenges associated with the fast-growing and relatively new field of decentralized finance.

Read more about DeFi exploits and how they help improve security and provide a brighter future to the crypto world.