Sushiswap Recovers Hundreds of ETH Stolen in Exploit

Reading Time: 2 minutes
  • The Sushiswap team has recovered hundreds of ETH stolen in a smart contract exploit over the weekend
  • A white hat security process has enabled the recovery of one-fifth of the $3.3 million stolen
  • It is hoped that more will be recovered this week

A glitch in the Sushiswap protocol over the weekend resulted in losses exceeding $3 million on April 9, although a ”large portion of affected funds” have since been recovered. The exploit, which was blamed on faulty code in a trading aggregator, caused $3.3 million in losses in just a few hours, and came after Sushi head developer, Jared Grey, responded to the community following a recent subpoena from the Securities and Exchange Commission (SEC) regarding potential charges over the sale of securities.

300 ETH Recovered

Sushiswap users were alerted to the vulnerability in Sushi’s Router Processor 2 contract via security firm Peckshield, which tweeted about the issue on Saturday evening:

The wallet targeted was that belonging to prominent crypto community member Sifu, with the “approve-related bug” in Sushiswap’s RouterProcessor2 contract manipulated to allow the theft of 1,800 ETH from Sifu’s wallet. This fact immediately led to some speculating on the nature of the hack, or more pertinently, the victim:

Following news of the exploit, Grey urged users to revoke permissions for all contracts on the protocol, saying that the team was “working with security teams to mitigate the issue”. Later on Sunday, he revealed the good news that most of the stolen funds had been recovered and that the team was working on getting the rest back:

Busy Time for Sushiswap

Grey’s intervention came at a busy time for him and the Sushiswap team. Just the prior day he had posted a response to some of the most pressing questions raised by the community following the subpoena issued by the SEC over its suggestions that SUSHI tokens constituted securities:

The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.

A hefty fine could be coming Sushiswap’s way if the team is found guilty of an unregistered securities sale, which is why a legal defense fund was established on March 21.