- The Sushiswap team has recovered hundreds of ETH stolen in a smart contract exploit over the weekend
- A white hat security process has enabled the recovery of one-fifth of the $3.3 million stolen
- It is hoped that more will be recovered this week
A glitch in the Sushiswap protocol over the weekend resulted in losses exceeding $3 million on April 9, although a ”large portion of affected funds” have since been recovered. The exploit, which was blamed on faulty code in a trading aggregator, caused $3.3 million in losses in just a few hours, and came after Sushi head developer, Jared Grey, responded to the community following a recent subpoena from the Securities and Exchange Commission (SEC) regarding potential charges over the sale of securities.
300 ETH Recovered
Sushiswap users were alerted to the vulnerability in Sushi’s Router Processor 2 contract via security firm Peckshield, which tweeted about the issue on Saturday evening:
It seems the @Sushiswap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
The wallet targeted was that belonging to prominent crypto community member Sifu, with the “approve-related bug” in Sushiswap’s RouterProcessor2 contract manipulated to allow the theft of 1,800 ETH from Sifu’s wallet. This fact immediately led to some speculating on the nature of the hack, or more pertinently, the victim:
Had to be with sifu, ever present in all kinds of scams
— Mahad Bajwa (@mahad_bajwa) April 9, 2023
Why is sifu and sissyfus still out of jail?
— Piu (💙,🧡) (@0xPiu) April 9, 2023
Following news of the exploit, Grey urged users to revoke permissions for all contracts on the protocol, saying that the team was “working with security teams to mitigate the issue”. Later on Sunday, he revealed the good news that most of the stolen funds had been recovered and that the team was working on getting the rest back:
We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.
— Jared Grey (@jaredgrey) April 9, 2023
Busy Time for Sushiswap
Grey’s intervention came at a busy time for him and the Sushiswap team. Just the prior day he had posted a response to some of the most pressing questions raised by the community following the subpoena issued by the SEC over its suggestions that SUSHI tokens constituted securities:
The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.
A hefty fine could be coming Sushiswap’s way if the team is found guilty of an unregistered securities sale, which is why a legal defense fund was established on March 21.