SushiSwap Hack


DEX SushiSwap is the victim of an attack. A mistake in a smart contract already leads to more than 3.3 million US dollars in damage. The developers warn against further use of multiple blockchains in connection with their platform.

SushiSwap Hack: More than $3.3 million in damage

According to DefiLlama, SushiSwap is the 20th largest DeFi platform by TVL. The equivalent of more than 541 million US dollars that are in the DEX system. Yesterday, the platform became the target of a successful attack that has already caused more than $3.3 million in damage.

A faulty smart contract called “RouteProcessor2” is to blame for the misery. Anyone who has acted with SushiSwap within the last six days should urgently revoke their token allowance , according to the security company Hacken.

With PeckShield, another company provides details that deal with the security of blockchains. Affected contract addresses with which users should no longer interact are summarized in a tweet.

Five different blockchains are the target of the attack: Ethereum , BNB, Polygon, Avalanche and Fantom.

How could SushiSwap be hacked?

The RouteProcessor2 smart contract specifies the details of an exchange. When users trade with SushiSwap, the contract is responsible for choosing the right liquidity pool, the right tokens and the exact amount.

However, the smart contract code does not contain a list of reliable, legitimate liquidity pools. Without a whitelist, it has been possible for a malicious actor to specify their own pool and use a recall to steal users’ funds.

According to Hacken , errors of this type can be avoided by a smart contract only allowing a repayment if it can recognize a claim from the corresponding pool.

“By providing a fake UniV3 pool, the attacker could pretend that they had taken any amount of tokens that the router contract was willing to take from users.”

Write OtterSec on Twitter . According to further information, some SushiSwap-related losses are the attacks of white hat hackers who return the stolen funds to their rightful owners.

Trade is safe again

A few hours ago, Jared Gray, managing director of SushiSwap, took the floor on Twitter. There he announces that the error has been fixed in the meantime. So new users no longer have to worry about interacting with the faulty smart contract.

Anyone who has already been in contact with the faulty contracts must nevertheless first revoke their access. Injured users should contact SushiSwap to identify stolen cryptocurrencies. SushiSwap then works towards tracking those assets and completing a return.

Leave a Reply

Your email address will not be published. Required fields are marked *