Decentralized exchange SushiSwap was hacked on April 9 for more than $3.3 million. It follows a bug in the exchange’s RouteProcessor2 contract approval system on Ethereum.
The exploit led to the loss of more than 1,800 ethereum (ETH). Following the attack, SushiSwap’s head chef Jared Gray advises affected users to revoke contracts.
Compromised SushiSwap contract
Peckshield, a blockchain security firm, reported a data breach in the SushiSwap system caused by an approval-related bug that has resulted in a loss of more than 1,800 ETH, translating to $3.3 million.
The bug targeted the RouterProcessor2 contract responsible for merchant routing services on SushiSwap.
According to Peckshield, the exploit targeted numerous chains where the affected smart contract operates, including Ethereum, Avalanche, Fantom, and Binance Smart Chain (BSC).
All compromised addresses were logged and owners were advised to revoke contract approvals as soon as possible.
SushiSwap’s head chef, Jared Grey, admitted to the breach in the system, noting that the exchange had deployed security personnel to lessen hacking.
He added that the team had not yet established the number of affected users, but assured customers that only those exposed to the compromised contract were at risk.
SushiSwap users under threat
The hack affected users who made transactions on SushiSwap in the last four days. Affected users were advised to transfer money to new wallets or cancel approvals.
Reports from Twitter indicate that there is a possibility that the $3.3 million lost was from a lone customer @0xsifu, a prominent cryptocurrency enthusiast on Crypto Twitter.
Security teams respond
Smart contract auditing firm BlockSec revealed that they knew about the security breach in SushiSwap and had estimated the likely dangers before announcing it.
The company noted that their priority was to secure user assets and that they had already saved multiple assets whose details would be revealed to the public at later stages.
The firm further claimed that they had already recovered 100 Ether, worth $180,000, from the attacker and asked the owner of the compromised contract to contact them for compensation.
