Decentralized exchange SushiSwap has fallen victim to an exploit, which led to the loss of more than $3.3 million from at least one user, known as 0xSifu on Twitter.
The exploit involves an approve-related bug on the RouterProcessor2 contract — which PeckShield and SushiSwap Head Chef Jared Grey recommend revoking on all chains.
The root cause, according to Ancilia, Inc. and in technical terms, "is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00."
The cybersecurity account adds that "later on in the swap3callback function, the permission check gets bypassed."
History tells us that on September 7th, 2021, the decentralized exchange SushiSwap suffered a significant hack that resulted in a loss of over $14 million in funds. The hack targeted the exchange's BentoBox platform, which is designed to store user funds and enable lending and borrowing.
The hack was carried out by exploiting a vulnerability in the SushiSwap contracts, which allowed the attacker to steal funds from the exchange's MISO launchpad. The attacker then used a series of complex transactions to cover their tracks, making it difficult to trace the stolen funds.
Following the hack, SushiSwap quickly announced that it would be compensating affected users using its own treasury funds. Additionally, the exchange has taken steps to improve its security protocols, including launching a bug bounty program and conducting regular security audits.
Despite the hack of September 7th, 2021, SushiSwap remains a popular and trusted decentralized exchange within the crypto community. As with any decentralized platform, there is always a risk of hacks and security breaches.
Closing Thought
SushiSwap has demonstrated a commitment then to improving its security measures and compensating affected users after the September 7th, 2021 hack, which has helped to restore trust in the platform in the recent years. The Big question ❓ here is, will they come out of this recent hack stronger than ever before??