SushiSwap has released a plan to return funds to users affected by the hack that took place over the weekend.
On April 9, SushiSwap was exploited through an approve-related bug on its RouterProcessor2 contract. Users who approved the vulnerable contract had their assets stolen, leading to a total loss of around $3.3 million.
Fortunately, one of the attackers returned 90 ETH stolen in the attack, while security firm BlockSec recovered another 100 ETH.
The decentralized exchange stated that user funds were either “swept by whitehat security teams” or “lost to blackhat hackers”. If the funds are in the whitehat contract, it means the security teams recovered the funds, and users will be able to claim them.
SushiSwap will build a Merkle Claim contract to return the recovered funds to user wallets.
However, for funds stuck on the Blackhat contract, users will have to wait longer for a refund. This is because the decentralized exchange has to manually verify the legitimacy of each claim through on-chain data analysis on a claim-by-claim basis and pay it out accordingly.
SushiSwap noted that users who did not interact with the protocol over the past 10 days are likely unaffected by the hack. Nonetheless, the team urged users to check their approvals as a security measure.
SushiSwap stated that it will conduct a post-mortem of the hack to identify any security issues and improve its protocol’s security.