SushiSwap team reports vulnerability in platform’s smart contract

The team behind the decentralised exchange SushiSwap detected a vulnerability in the RouteProcessor2 smart contract, which is used for trade routing. The platform’s chief, Jared Grey, recommended revoking approvals across all blockchains.

If you need a quick Revoke source:https://t.co/ySLmnCDgsQ

— Jared Grey (@jaredgrey) April 9, 2023

There is an approval-related bug in the RouteProcessor2 contract; please revoke permissions urgently. We are working with security-focused teams to fix the issue, he wrote.

According to PeckShield, as a result of the attack using a relevant exploit, QuadrigaCX co-founder Michael Patryn lost around 1,800 ETH (about $3.3 million at the time of writing).

Twitter user Trust (presumably a white-hat hacker) claimed to have been the first to detect the vulnerability and extracted 100 ETH belonging to Patryn, intending to return them to the rightful owner. However, unknown actors traced the attack vector and replicated it.

This is insane. MEV bots have deployed contracts and copied the attack before I could save everything ?

— Trust (@trust__90) April 9, 2023

MEV bots deployed contracts and copied the attack before I had a chance to save everything, he explained.

DeFi Llama noted that the vulnerability threatens only addresses that interacted with SushiSwap in the last four days. The project team also published a list of contracts whose approvals should be revoked.

here’s the list of contracts on each chain to be revoked https://t.co/e6tZCAkFFa

— 0xngmi (llamazip arc) (@0xngmi) April 9, 2023

According to The Block, in the Ethereum blockchain, the problematic contracts approved 190 addresses, in the Arbitrum network — over 2,000 addresses.

Against the backdrop of the news, the platform’s governance token SUSHI fell by 5%, according to CoinGecko. At the time of writing, the asset was trading near $1.07.

In the first quarter of 2023, blockchain projects lost more than $320 million due to hacks and fraud.