SushiSwap’s Security Breach: Millions Lost in Critical Vulnerability
PeckShield, a security firm, discovered a critical vulnerability in the SushiSwap DeFi protocol this past weekend.
The flaw is related to the “RouterProcessor2” contract utilized for trade routing on the SushiSwap exchange. According to PeckShield, a bug in the contract resulted in over $3.3 million in losses for a single user, known as 0xsifu, who is well-known in the Crypto Twitter community.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
SushiSwap’s head developer, Jared Grey, confirmed the issue and advised users to revoke permissions for all contracts on the platform as a precautionary measure.
Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4
— Jared Grey (@jaredgrey) April 9, 2023
The incident highlighted the need for continued vigilance and security measures in the DeFi ecosystem. The sector remains vulnerable to exploits and attacks targeted at misconfigured accounts.
It is recommended that users revoke permissions for all SushiSwap contracts to safeguard their assets while developers and security teams work to address the vulnerability and recover lost funds.
READ MORE: Ripple’s Lawsuit: New Developments Could Have a Huge Impact
Recovery efforts are underway, with some stolen funds already being returned. The initial attacker, 0x9deff, has returned 90 ETH out of the 100 they stole, and BlockSec has recovered and pledged to return 100 ETH soon.
There are ongoing negotiations between sifuvision.eth and c0ffeebabe.eth, as most of the stolen funds, have been traced to “beaverbuild, rsync-builder, and Lido: Execution Layer Rewards Vault.”
BlockSecTeam acknowledged their involvement in the recovery efforts and tweeted that they had rescued part of the funds and would release details later. It is crucial to note that users should exercise caution and ensure their accounts are properly configured to avoid potential vulnerabilities in the future.
At the time of writing, SUSHI is trading at $1.08 after a 4.9% drop on the daily chart.
Alexander Stefanov
Reporter at CoinsPress
Alex is Editor-in-Chief of Coinspress and co-founder of Millennial Media Group, with nearly a decade of experience covering financial markets - crypto first, then everything else. It started in 2016 with Bitcoin. Like most people at the time, he didn't fully understand it - so he kept digging. Blockchain, tokenomics, the projects, the cycles. That curiosity never stopped, and eventually pulled him into traditional markets too: equities, commodities, macro. Not because he left crypto behind, but because you can't properly understand one without the other. What drives him is straightforward: he wants to know why something is happening, not just that it's happening. Most market coverage stops at the headline - price up, price down, here's a chart. Alex finds that kind of reporting actively unhelpful. If you walk away from an article without understanding the mechanism behind the move, what did you actually learn? He holds a degree in Tourism from New Bulgarian University - not the most obvious path into financial markets, but markets have a way of pulling in people who are simply too curious to stay out. He has authored over 200 in-depth analyses and more than 10,000 articles across crypto and traditional finance. He still thinks every day in markets teaches him something new. That's probably why he hasn't stopped.
