A smart contract of the decentralized finance application (DeFi) SushiSwap was exploited sunday april 9 in the morning, according to the developers. Exploitation concerns the contract ” RouterProcessor2 ”, used to perform the routing of exchanges on SushiSwap. The security company PeckShield reported a bug related to the “approveof the contract, resulting in a loss of over $3.3 million.
According to several tweets from different security companies, the $3.3 million belongs to a single user, @0xsifua popular trader in the Crypto Twitter ecosystem behind other dramas like the famous affair QuadrigaCXa Canadian exchange that disappeared with $169 million in funds.
The developer DefiLlama, @0xngmisaid the exploit only appeared to affect users who had approved SushiSwap contracts in the past 4 days.
SushiSwap development manager, Jared Grayasked users to revoke permissions for all contracts on SushiSwap as a security measure, adding that the Sushiswap team was working with security experts to mitigate the issue.
The flaw has been deployed on more compatible EVM blockchains
PeckShield reported that the exploited contract was rolled out across multiple channels, including Ethereum (ETH), BNB Chain (BNB), Polygon (MATIC), Phantom (FTM) And Avalanche (AVAX). You can find on this Github the precise list of contracts to be revoked.
The analyst Kevin Peng (The Block Research) reported that 190 Ethereum addresses approved the problematic contract and more than 2000 addresses on Layer 2 Arbitrum also authorized the contract.
Following news of this exploit, the SUSHI token fell 6% in 24 hours, hitting $1.10 at the time of writing.
Cybersecurity firm Ancilla gave a more technical explanation of what happened, stating that the root cause was the internal “swap()” function that called “swapUniV3()” to set the “lastCalledPool” variable to the level from storage location 0x00. Later, in the “swap3callback” function, the permission check was bypassed.
Summary: A loophole in SushiSwap’s RouterProcessor2 contract caused users to lose $3.3 million, causing the SUSHI token to drop 6%. Users are prompted to revoke permissions for all contracts.
The article SushiSwap: a flaw in a smart contract leads to a loss of $3.3 million appeared first on Corner Academy