Welcome to CryptoGod-1's blog on all things crypto. News has recently emerged of a hack which took place on the SushiSwap DeFi exchange, with a reported $3.3 million being stolen as part of an exploit in the smart contract.
SushiSwap Hack for $3.3 Million
The popular DEX (decentralized exchange) SushiSwap was the victim of a hack which resulted in more than $3.3 Million of funds taken as part of a bug discovered in the smart contract by a hacker / hackers. It came about from the RouteProcess02 contract, a smart contract as part of the DEX which allows traders to find the most favourable price by aggregating trade liquidity from multiple sources before identifying the best price for swapping coins. This hack was exploited and then used across multiple blockchain networks. According to crypto security firm Ancilia:
"Root cause is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed."
It has been suggested that any user who swapped coins within the four days leading up to the hack could be at risk and impacted by the exploit. DefiLlama pseudonymous developer 0xngmi tweeted this opinion stating only those who used SushiSwap over that period should be effected.
According to reports, one user has been impacted so far although many more are suspected to be victims. The user, a well known crypto advocate known as Sifu, apparently had 1,800 ETH (about $3.3 Million) stolen. According to 'The Block Research' Analyst Kevin Peng, so far around 190 Ethereum addresses are known to have approved the problematic contract, while another 2000 or so addresses on Layer 2 Arbitrum have also apparently approved the bad contract.
Funds Recovered
All is not lost however, as Tweets have emerged that the hackers were traced and have agreed to return some of the stolen funds. As shown in the Tweet below, the first hacker has agreed to return 90 out of the 100 ETH which they took, while negotations are underway to have to remaing ETH, or as much of it as possible, returned to its rightful owner.
Following on from that, the SushiSwap team announced they had managed to recover even more of the funds, with over 300 ETH confirmed to have been recovered and returned, while a further 700 ETH is also expect to be given back.
The exploit involved users falling victim to an approve-related bug on the RouterProcessor2 contract. Basically once a user approves this bad contract, such as in their METAMASK account, the user allows the exploiter to steal their tokens. The first attack was done in this manner, allowing the unauthorized entity to basically take whatever amount of tokens they wanted to from the wallet without the need for proper approval from the token owner. The first attack was apparently for around 100 ETH, which was Tweeted by a user confirming they had 'whitehacked' 100 ETH.
From there the further 1,800 ETH was stolen after it was apparently noticed that the user @trust_90 had exploited a bug, and MEV bots were quick to pounce. They made use of the same contract but instead named their function "notyoink" as part of their hack.
SushiSwap Response
A lead developer for SushiSwap, Jared Grey, has asked users to revoke their permissions for all contracts on the protocol in an attempt to lessen the impact of the bug. He also created a list of contracts on GitHub which listed different blockchains requiring revocation to address the problem. The major issue around the bug is that the vunerable contract was also deployed on Polygon.
The CEO for SushiSwap, Matthew Lilley, followed that up later in the day and stated there were no issues in actually making use pf the DEX. By this stage all exposure to the RouterProcessor2 had been removed from the front end and all the swap activity was safe to engage in on the DEX platform.
Community Response
The response from the crypto community was a mixed one, with many questioning the legitimacy of the actual hack. The entire process has made some question what really happened, especially when developer Jared Grey stated that some of the funds would be recovered through a 'whitehat security process.'
Community members were quick to point out how the router contract was 'used by almost no one' and as soon as it was used, it was immediately exploited. This gave a sense of somebody waiting patiently to strike as soon as they saw the opportunity.
Another user, this one associated with Cardano (ADA) was quick to claim that it was 'Ethereum issues' and these are what make crypto look bad to the outside world. There have been plenty of hacks across multiple chains over the years, but data for 2023 shows that a large amount of the losses via hacks have been from the Ethereum network. This was backed up by a report from blockchain security firm CertiK's which stated hackers were able to gain access to more than $320 million in the first quarter of 2023. Of that amount, it is reported that around $221 million is from incidents on the Ethereum blockchain.
Interesting developments with SushiSwap and Ethereum, and certainly it highlights the need to be aware from allowing applications permission via a users wallet. While the number of hacks via Ethereum is extremely high compared to other networks, it should also be noted that the majority of users are making use of Ethereum over those networks, so with more funds available its becomes the go to destination for hackers.
Have a great day.
CryptoGod-1.
Referral Links and Follow Me:
