Sushiswap Smart Contract Bug Results in Over $3M in Losses; Head Chef Says Hundreds of ETH Recovered

According to several reports, a bug introduced to the decentralized exchange (dex) protocol Sushiswap’s smart contract has resulted in more than $3 million in losses. The blockchain and smart contract security firm Peckshield explained the exploited contract was “deployed in multiple blockchains.”

Over the weekend, the dex platform Sushiswap saw its RouteProcess02 contract exploited and then distributed across various blockchain networks. Blockchain security firm Certik published an alert after discovering the exploit. The company Peckshield also updated the crypto community via Twitter, noting that Sushiswap’s “RouterProcessor2 contract has an approve-related bug.” It has also been reported that the victim was a well-known crypto advocate called Sifu, who reportedly lost 1,800 ether.

Sifu may not have been the only victim, as Certik’s alert mentions that a few USDC users may have been affected. “We have detected suspicious activity on [0x15d], which is a malicious router,” Certik tweeted. “Revoke permissions if you have approved this router to spend your tokens. Stay safe. Multiple users who had approved the malicious contract have seen their USDC being transferred to [0x29e]. The wallet has taken about $20,000 in the last two hours,” the company added.

A developer known as 0xngmi has detailed that the exploit should only be problematic for those who used Sushiswap during the last four days. “Only users impacted by Sushiswap hack should be those that swapped on Sushiswap in the last 4 days. If you did so, revert approvals ASAP or move your funds in the affected wallet to a new wallet,” 0xngmi tweeted. Sushiswap’s head chef Jared Grey also confirmed the exploit and later detailed that “recovery efforts were underway.”



“We’ve secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact [email protected] for next steps,” Grey said at 9:42 a.m. Eastern Time on April 9. “We’ve confirmed recovery of more than 300 ETH from Coffeebabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH,” Grey added. Sushiswap’s CTO, Matthew Lilley, followed up later in the day and said that there are currently no issues with using the Sushiswap dex platform.

“There is no risk at this time with using Sushi Protocol, and the UI. All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do,” the Sushiswap CTO explained. “We do ask that all users double-check their approvals, and if an address within this list below has an allowance for any of your tokens to please unapprove as soon as you can,” Lilley added. Just recently, Grey told the community that the Sushiswap team received a subpoena from the U.S. Securities and Exchange Commission (SEC).

What do you think can be done to prevent smart contract bugs like this in the future? Share your thoughts in the comments below.