Decentralized exchange SushiSwap suffered a trade router attack. The attacker managed to withdraw 1,800 ETH (~$3.3 million) and put all the DEX’s users trading on the exchange in the “last four days” at risk.
Security firm PeckShield discovered a vulnerability in the RouteProcessor2 smart contract on SushiSwap. The attacker exploited an approve-related bug and withdrew about 1,800 ETH.
The main victim of the exploit was Michael Patryn, Co-Founder of the bankrupt Canadian exchange QuadrigaCX. His account on the DEX was the one to be hacked. An anonymous Twitter user Trust claimed that he spotted the vulnerability and withdrew 100 ETH from Patryn’s account to later return funds to the owner. However, the attacker was able to follow the white-hat hacker’s actions and repeat them.
The attacker made a RouteProcessor2 router callback on SushiSwap using a “fake pool” of the Uniswap v3 protocol. Anton Bukov, Co-Founder of 1inch Network, shared this information. He believes that the router didn’t perform authentication checks, which allowed the hacker to carry out the attack.
According to an anonymous developer 0xngmi, the hack could affect those users who exchanged on the DEX in the “last four days.” Jared Grey, Head Developer of SushiSwap, urged users to revoke permissions for all SushiSwap contracts as a security measure. The project team created a list of contracts on GitHub with various blockchains requiring revocation. The Block reports that at least 190 addresses on the Ethereum blockchain and over 2,000 addresses on Arbitrum were approved for “the problematic contract.”
The events caused the SUSHI token to plummet, losing about 5% of its value. According to CoinGecko, the asset’s price is $1.1 on April 10, 11:00 (GMT+3).
DeFi remains the most vulnerable sector in the crypto market. Hackers stole over $6.77 billion via DeFi protocols in the last two years.