SushiSwap has fallen victim to an exploit.
Only users who have interacted with the decentralized exchange in the last four days seem to be affected.
Decentralized exchange SushiSwap has fallen victim to an exploit, which led to the loss of more than $3.3 million from at least one user, known as 0xSifu on Twitter.
The exploit involves an approve-related bug on the RouterProcessor2 contract â which PeckShield and SushiSwap Head Chef Jared Grey recommend revoking on all chains.
The root cause, according to Ancilia, Inc. and in technical terms, "is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00." The cybersecurity account adds that "later on in the swap3callback function the permission check get bypassed."
DeFi Llama's @0xngmi claims only those who swapped on SushiSwap within the last four days should be affected. They also published a list of contracts across all chains that should be revoked.
The Block Research Analyst Kevin Peng explains that, so far, 190 Ethereum addresses have approved the problematic contract. However, more than 2000 addresses on Layer 2 Arbitrum have seemingly approved the bad contract.
