{"id":76900,"date":"2023-04-09T10:11:48","date_gmt":"2023-04-09T07:11:48","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=76900"},"modified":"2025-09-10T20:06:15","modified_gmt":"2025-09-10T17:06:15","slug":"sushiswap-team-reports-vulnerability-in-platforms-smart-contract","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/sushiswap-team-reports-vulnerability-in-platforms-smart-contract\/","title":{"rendered":"SushiSwap team reports vulnerability in platform&#8217;s smart contract"},"content":{"rendered":"<p>The team behind the decentralised exchange SushiSwap detected a vulnerability in the RouteProcessor2 smart contract, which is used for trade routing. The platform&#8217;s chief, Jared Grey, recommended revoking approvals across all blockchains.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">If you need a quick Revoke source:<a href=\"https:\/\/t.co\/ySLmnCDgsQ\">https:\/\/t.co\/ySLmnCDgsQ<\/a><\/p>\n<p>\u2014 Jared Grey (@jaredgrey) <a href=\"https:\/\/twitter.com\/jaredgrey\/status\/1644916049903583232?ref_src=twsrc%5Etfw\">April 9, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>There is an approval-related bug in the RouteProcessor2 contract; please revoke permissions urgently. We are working with security-focused teams to fix the issue, he wrote.<\/p>\n<\/blockquote>\n<p>According to <a href=\"https:\/\/twitter.com\/peckshield\/status\/1644907207530774530?s=20\">PeckShield<\/a>, as a result of the attack using a relevant exploit, QuadrigaCX co-founder Michael Patryn lost around 1,800 ETH (about $3.3 million at the time of writing).<\/p>\n<p>Twitter user Trust (presumably a white-hat hacker) claimed to have been the first to detect the vulnerability and extracted 100 ETH belonging to Patryn, intending to return them to the rightful owner. However, unknown actors traced the attack vector and replicated it.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">This is insane. MEV bots have deployed contracts and copied the attack before I could save everything ?<\/p>\n<p>\u2014 Trust (@trust__90) <a href=\"https:\/\/twitter.com\/trust__90\/status\/1644900643608358913?ref_src=twsrc%5Etfw\">April 9, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>MEV bots deployed contracts and copied the attack before I had a chance to save everything, he explained.<\/p>\n<\/blockquote>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">April 9, 2023 | 10:55<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>The co-founder of 1inch Network Anton Bukov said that an unknown attacker carried out the attack via a fake Uniswap v3 pool (which uses SushiSwap\u2019s router), which did not perform authenticity checks. This enabled a router callback with malformed arguments.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Hacker used fake <a href=\"https:\/\/twitter.com\/Uniswap?ref_src=twsrc%5Etfw\">@Uniswap<\/a> V3 pool with new <a href=\"https:\/\/twitter.com\/SushiSwap?ref_src=twsrc%5Etfw\">@SushiSwap<\/a> router (3 days), which didn\u2019t had any checks that pool is genuine. So fake pool called router callback with malformed arguments (see last arg on screenshot), which lead to transferFrom() from wrong user <a href=\"https:\/\/t.co\/BrYQCnlVxU\">https:\/\/t.co\/BrYQCnlVxU<\/a> <a href=\"https:\/\/t.co\/zf1PPbfiIe\">https:\/\/t.co\/zf1PPbfiIe<\/a> <a href=\"https:\/\/t.co\/5DuC4ftCb9\">pic.twitter.com\/5DuC4ftCb9<\/a><\/p>\n<p>\u2014 Anton Bukov ?? \u2696\ufe0f (@k06a) <a href=\"https:\/\/twitter.com\/k06a\/status\/1644966434592919553?ref_src=twsrc%5Etfw\">April 9, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<\/div>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>DeFi Llama noted that the vulnerability threatens only addresses that interacted with SushiSwap in the last four days. The project team also published a list of contracts whose approvals should be revoked.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">here\u2019s the list of contracts on each chain to be revoked <a href=\"https:\/\/t.co\/e6tZCAkFFa\">https:\/\/t.co\/e6tZCAkFFa<\/a><\/p>\n<p>\u2014 0xngmi (llamazip arc) (@0xngmi) <a href=\"https:\/\/twitter.com\/0xngmi\/status\/1644928450359185411?ref_src=twsrc%5Etfw\">April 9, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to The Block, in the Ethereum blockchain, the problematic contracts approved 190 addresses, in the Arbitrum network \u2014 over 2,000 addresses.<\/p>\n<p>Against the backdrop of the news, the platform&#8217;s governance token SUSHI fell by 5%, according to CoinGecko. At the time of writing, the asset was trading near $1.07.<\/p>\n<p>In the first quarter of 2023, blockchain projects <a href=\"https:\/\/forklog.com\/en\/news\/crypto-projects-lost-more-than-320-million-to-hacks-in-the-quarter\">lost more than $320 million<\/a> due to hacks and fraud.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The SushiSwap team detected a vulnerability in the RouteProcessor2 smart contract used for routing trades. The platform&#8217;s head, Jared Grey, recommended revoking approvals across all blockchains.<\/p>\n","protected":false},"author":1,"featured_media":76901,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1379],"class_list":["post-76900","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-sushiswap"],"aioseo_notices":[],"amp_enabled":true,"views":"44","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/76900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=76900"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/76900\/revisions"}],"predecessor-version":[{"id":76902,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/76900\/revisions\/76902"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/76901"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=76900"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=76900"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=76900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}