Sushiswap’s DEX approval contract faces an approval bug, and gets hacked for $3.3 million. As a security measure, users are asked to revoke access from the contract. Security firms indicate the $3.3 million emanated from one single user, @0xsifu.
Sharing the breaking insight, PeckShield, Inc. tweeted:
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
— PeckShield Inc. (@peckshield) April 9, 2023
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
Quoting the tweet by PeckShield, SushiSwap’s Chief Chef Jared Grey tweeted:
Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4
— Jared Grey (@jaredgrey) April 9, 2023
Jared Grey also assured that SushiSwap is working with “security teams to mitigate the issue.” Quoting its own tweet, PeckShield further stated, “It seems the exploited RouteProcess02 contract has been deployed in multiple chains. @SushiSwap Please *REVOKE* the following addresses ASAP. ETH: 0x044b7..7357 BSC: 0xd75f…6550 POLYGON: 0x5097…649a AVAX: 0xbace…9c4f FTM: 0x3e60…c715.”
PeckShield also shared a Slingshot article explaining how to revoke token approval from chain-specific block explorers. Continuing on his series of tweets, Jared Grey also shared “a quick Revoke source.” He then went on to also share a guide from DeFi Llama’s 0xngmi on “contract to revoke on each chain.”
DeFi Llama’s 0xngmi also shared more security insights on the issue, stating, “only users impacted by sushiswap hack should be those that swapped on sushiswap in the last 4 days, if you did so revert approvals asap or move your funds in affected wallet to a new wallet.”
0xngmi went on to share a “Correction: on some chains the contracts had been deployed for up to 2 weeks, but I’m not sure if they were added to frontend back then or later with all the other deployments Best to be safe and assume that sushi approvals in last 2 weeks are all vulnerable.”