SushiSwap to return stolen funds following weekend hack

SushiSwap has provided an update on the weekend's exploit and a plan to refund affected users.

The decentralized exchange explained funds were either swept by whitehat security teams or lost to blackhat hackers. 

Funds residing in the whitehat contract will be claimable via a Merkle Claim contract that the SushiSwap team is currently building. "We've completed most of this work and it will go live soon," the DEX noted on Twitter.

Recovering funds stolen by bad actors will be more complicated. Users whose funds reside with the blackhat exploiter must send an email to security@sushi.com that includes transaction IDs and blockchain data. (Alternatively, they may open a ticket in SushiSwap's official Discord.)

The Sushi team is establishing an opt-in claims process and will manage claims on a case-by-case basis, it explains." Our goal is to return all user funds to legitimate claimants," Sushi wrote, adding: "We appreciate everyone's patience and understand your frustration as we work through returning funds to affected users."

On April 9, SushiSwap fell victim to an exploit that involved an approve-related bug on its RouterProcessor2 contract. Essentially, users who approved the problematic smart contract on the decentralized exchange opened themselves up to having their funds "yoinked" from their wallets.

After on-chain sleuths noticed the problem, the DEX's proverbial "Head Chef," Jared Grey, recommended revoking the contract's permissions on all associated blockchains.

Users can check if they were affected or not, but Sushi notes that "you likely have no exposure if you haven't interacted with Sushi in the past ten days, as the exploited contract is less than ten days old."

Meanwhile, SushiSwap has other problems to contend with. The U.S. Securities and Exchange Commission recently served the decentralized exchange and Grey with a subpoena, provoking the latter into asking Sushi DAO to fund a $3 million USDT legal defense.