A bug on a four-day-old router contract on SushiSwap led to a $3 million exploit over the weekend.
According to an update from blockchain security firm PeckShield, the protocol’s RouterProcessor2 contract had an approve-related bug which resulted in an exploiter stealing 1800 ETH from a user’s wallet.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
The wallet in question belonged to “0xSifu,” otherwise known as Michael Patryn, who co-founded the infamous QuadrigaCX which lost over $150 million in customer funds.
SushiSwap CEO Jared Grey confirmed the exploit on Twitter and urged users to revoke all permissions for contracts on the protocol. Grey said the team was working with security experts to mitigate the issue, and some recovery efforts were already underway.
“We will produce a thorough post-mortem of the development process leading up to the exploit and the events that unfolded post-exploit,” said Grey.
According to him, more than 300 ETH of stolen funds have already been recovered and the team was working with Lido to recover another 700 ETH. 0xSifu claims that to his knowledge, only 190 ETH has been recovered so far.
Some funds were recovered as a result of white hat hackers, who got ahead of the exploit and returned the funds to 0xSifu. These efforts were somewhat thwarted by Maximal Extractable Value (MEV) bots that copied and deployed the exploit.
“I wasn’t aware of how ridiculously advanced MEV bots are (rebuilt 3 TXs), I thought every second matters, and wanted to white-hack a bunch more addresses,” said white hat hacker Trust, who recovered 100 ETH of Sifu’s stolen funds.
Many in the crypto community were unsympathetic towards 0xSifu, given his status as a controversial figure within the crypto landscape. Apart from his involvement in QuadrigaCX, 0xSifu has been accused of siphoning funds from DeFi protocol Wonderland, where he served as treasurer.
I'm sure you have some proof of this. Should probably file a police report.
— 0xsifu (@0xSifu) April 9, 2023