Over the weekend, a critical vulnerability was discovered in DeFi protocol SushiSwap by security firm PeckShield.
The exploit involved the RouterProcessor2 contract used for trade routing on the SushiSwap exchange.
PeckShield took to Twitter to reveal that the contract had an approve-related bug that led to a loss of more than $3.3 million (about 1,800 ETH) from well known Crypto Twitter account 0xSifu.
Jared Grey, SushiSwap’s head developer, confirmed the issue and urged users to revoke permissions for all contracts on SushiSwap as a security measure. The exploit primarily affected 0xSifu.
According to DefiLlama developer 0xngmi, the exploit appeared to have impacted users who approved SushiSwap contracts in the last four days. Security teams are still investigating the issue, tracking stolen funds, and working to recover affected assets.
Recovery Efforts
Grey revealed that recovery efforts are underway. MetaSleuth provided a breakdown of the stolen funds, showing that the first attacker, 0x9deff, returned 90 ETH of the 100 they had stolen, while BlockSec rescued 100 ETH and pledged to return it shortly.
Negotiations are ongoing between sifuvision.eth and c0ffeebabe.eth, and most stolen funds were traced to “beaverbuild, rsync-builder, and Lido: Execution Layer Rewards Vault”.
As developers and security teams continue to address the vulnerability and recover lost funds, users are strongly advised to revoke permissions for all SushiSwap contracts to protect their assets.
The incident highlights the importance of ongoing vigilance and security measures within the DeFi ecosystem, which remains vulnerable to exploits and attacks targeted to the misconfiguration of accounts.