Popular decentralized exchange (DEX) platform SushiSwap has suffered more than $3.3 million in losses after a hacker exploited a bug in a smart contract.
More specifically, the DEX saw its RouteProcess02 contract, a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins, exploited and then distributed across various blockchain networks.
"Root cause is because in the internal swap() function, it will call swapUniV3() to set variable "lastCalledPool" which is at storage slot 0x00," crypto security firm Ancilia said in a tweet. "Later on in the swap3callback function the permission check get bypassed."
DefiLlama pseudonymous developer 0xngmi suggested that only users who had swapped in the protocol during the past four days should be affected by the hack.
“Only users impacted by Sushiswap hack should be those that swapped on Sushiswap in the last 4 days. If you did so, revert approvals ASAP or move your funds in the affected wallet to a new wallet,” 0xngmi tweeted.
At least one user has fallen victim to the hack so far. The victim, who is a well-known crypto advocate called Sifu, reportedly lost 1,800 ETH (worth around $3.3 million).
Meanwhile, Sushi's lead developer, Jared Grey, has urged users to revoke permissions for all contracts on the protocol, stating, "Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP.
He also created a list of contracts on GitHub with different blockchains requiring revocation to address the problem. Notably, the vulnerable contract is also deployed on Polygon, a popular Ethereum layer-2 solution.
The SushiSwap team has managed to recover a significant portion of the stolen funds through a white hat
Read more on cryptonews.com