A smart contract of SushiSwap, a decentralized finance (DeFi) protocol, has been breached, resulting in a $3.3 million loss. Only users who interacted with some of SushiSwap’s smart contracts in the last two weeks may be affected.
SushiSwap smart contract has a flaw
A smart contract of the decentralized finance (DeFi) protocol SushiSwap has been breached, resulting in $3.3 million in losses, according to the latest estimate at the time of writing. This amount alone would come from the user 0xSifu, well known in the crypto ecosystem on Twitter.
Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4
– Jared Grey (@jaredgrey) April 9, 2023
According to @0xngmi, developer of the DefiLlama platform, only users who interacted with some of SushiSwap’s smart contracts during the last 2 weeks could be affected. The latter has also developed a website allowing you to check if your address(es) are potentially at risk.
If one of your addresses was indeed at risk, we recommend you to remove the concerned authorizations as soon as possible. To do this, you can use Revoke or do it manually from some digital wallets that support this tool natively like Rabby Wallet.
According to Kevin Peng, an analyst at The Block Research, only 190 Ethereum addresses have approved the problematic smart contract. More than 200 addresses would be affected on Layer 2 Arbitrum, however, and other addresses are also affected on other blockchains. If you want to manually check the contracts for each blockchain, you can find their respective addresses here.
The price of the SUSHI token was slightly impacted, with a drop of just over 5% over 24 hours.
SUSHI token price evolution
The blockchain security and auditing firm BlockSec revealed that it had successfully intercepted 100 ETH on block 17007839. Furthermore, the first attacker, who thus appears to be a “white hat”, has reportedly already flipped 90 of the 100 ETH.
At the time of writing, neither SushiSwap nor its director Jared Grey have given more news about the flaw.
