SushiSwap, the popular DeFi protocol, suffered a critical vulnerability over the weekend, leading to a loss of over $3.3 million. Security firm PeckShield discovered the exploit, which involved the ‘RouterProcessor2’ contract used for trade routing on the SushiSwap exchange.
According to PeckShield, the vulnerability led to the loss of approximately 1,800 ETH from 0xSifu. SushiSwap’s head developer Jared Grey confirmed the issue, urging users to revoke permissions for all contracts on SushiSwap as a security measure. The bug primarily affected a single user, 0xsifu, known in the Crypto Twitter community.
The exploit appears to have impacted users who approved SushiSwap contracts within the last four days, according to DefiLlama developer 0xngmi. Recovery efforts are underway, with security teams investigating the issue, tracking stolen funds, and working to recover affected assets.
“Recovery efforts are underway,” said Jared Grey, citing a tweet from MetaSleuth that provided a breakdown of the stolen funds. The first attacker, 0x9deff, returned 90 ETH of the 100 they had stolen, while BlockSec rescued 100 ETH and pledged to return it shortly. Negotiations between sifuvision.eth and c0ffeebabe.eth are in progress, with most stolen funds traced to “beaverbuild, rsync-builder, and Lido: Execution Layer Rewards Vault.”
BlockSecTeam acknowledged their involvement in the recovery efforts, tweeting, “We knew that @SushiSwap RouteProcessor2 was attacked. We evaluated possible damages in the past few hours and made this public only after we think it’s safe: users’ assets are always our first priority. Btw: we rescued part of them and will release the details later.”