SushiSwap hacked, Head Chef says 'revoke all chains'

Quick Take

  • SushiSwap has fallen victim to an exploit.
  • Only users who have interacted with the decentralized exchange in the last four days seem to be affected.

Decentralized exchange SushiSwap has fallen victim to an exploit, which led to the loss of more than $3.3 million from at least one user, known as 0xSifu on Twitter.

The exploit involves an approve-related bug on the RouterProcessor2 contract — which PeckShield and SushiSwap Head Chef Jared Grey recommend revoking on all chains.

The root cause, according to Ancilia, Inc. and in technical terms, "is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00."

The cybersecurity account adds that "later on in the swap3callback function, the permission check gets bypassed."

To yoink, or notyoink?

In other words, by approving the bad contract, users unknowingly allow the exploiter to steal their tokens — or "yoink," in this case.

"The "yoink" function was used by the first attacker, which is due to the attack vector being a bug in the "approve" mechanism of the SushiSwap router contract," The Block Research Analyst Brad Kay says.

"The bug allows an unauthorized entity to essentially "yoink" tokens without the proper approval from the token owner," Kay explains, adding: "Following the first attack for 100 ETH — possibly a white hat — it seems like another hacker came along and stole another 1800-ish ETH using the same contract but instead named their function "notyoink."

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

How many SushiSwap users are affected?

Early reports claim that not too many SushiSwap users are currently at risk.

DeFi Llama's @0xngmi claims only those who swapped on SushiSwap within the last four days should be affected. They also published a list of contracts across all chains that should be revoked and built a tool to check if any of your addresses have been impacted.

The Block Research Analyst Kevin Peng explains that, so far, 190 Ethereum addresses have approved the problematic contract. However, more than 2000 addresses on Layer 2 Arbitrum have seemingly approved the bad contract.

The price of Sushi's governance token fell by only 0.6% in the hour since the news broke.

Grey — who is also seeking a $3 million legal defense fund from Sushi DAO after Sushi was hit with a subpoena from the U.S. Securities and Exchange Commission — tweeted that Sushi is "working with security teams to mitigate the issue."

Updated to provide more context and explanation. This story is developing and will be continually updated with new information.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Adam is the managing editor for Europe, the Middle East and Africa. He is based in central Europe and was a managing editor and podcast host at the crypto exchange OKX's former research arm, OKX Insights. Before that, he co-founded BeInCrypto.com, which he elevated into one of the leading crypto media brands at its peak as the editor-in-chief. Earlier, he served as the editor-in-chief at Bitcoinist.com. Before joining the blockchain and crypto industry, he worked for Looper.com, Grunge.com and SVG.com. He tweets via @XBT002 and can be emailed at [email protected].