The decentralized exchange SushiSwap has been hit by an exploit, leading to the loss of over $3.3 million from at least one user, known as 0xSifu on Twitter, according to a report by The Block. The exploit occurred due to an approve-related bug on the RouterProcessor2 contract, which cybersecurity experts PeckShield and SushiSwap Head Chef Jared Grey have recommended revoking on all chains.
The root cause of the issue, according to Ancilia, Inc., is a bug in the internal swap() function, which calls swapUniV3() to set the variable “lastCalledPool” at storage slot 0x00. Ancilia adds that “later on in the swap3callback function, the permission check gets bypassed.”
The exploit allows an unauthorized entity to steal users’ tokens, commonly known as “yoinking.” According to The Block Research Analyst Brad Kay, the first attacker used the “yoink” function, taking 100 ETH, while another attacker later used the same contract but instead named their function “notyoink,” stealing another 1,800 ETH.
Early reports suggest that not too many SushiSwap users are currently at risk. DeFi Llama’s @0xngmi claims that only those who swapped on SushiSwap within the last four days should be affected. However, The Block Research Analyst Kevin Peng explains that 190 Ethereum addresses have approved the problematic contract, and more than 2,000 addresses on Layer 2 Arbitrum have seemingly approved the bad contract.
Sushi’s governance token only fell by 0.6% in the hour since the news broke. SushiSwap Head Chef Jared Grey has tweeted that Sushi is “working with security teams to mitigate the issue.” Grey is also seeking a $3 million legal defense fund from Sushi DAO after Sushi was hit with a subpoena from the U.S. Securities and Exchange Commission.