The hack was possible because of a vulnerability in the smart contract.
SushiSwap, a popular decentralized exchange, was hit by a cyberattack on April 9, 2023. The attack resulted in the theft of approximately $3.3 million caused by a vulnerability in the RouterProcessor2 smart contract. Attackers were able to exploit this vulnerability and withdraw funds from the victim’s wallet if the owner confirmed the transaction.
At least one known case of funds being stolen using this vulnerability has been reported, with the co-founder of the bankrupt Canadian exchange QuadrigaCX, Michael Patrin (0xsifu), losing about 1,800 ETH, which is about $3.3 million at the coin’s exchange rate at the time of the incident.
According to researchers from cybersecurity service provider Ancilia Inc., the vulnerability was caused by permissions that users give to a smart exchange contract before working with it. In the case of decentralized exchanges, the user must allow the corresponding smart contract to send coins from the wallet to conduct transactions. By granting permission to the vulnerable RouterProcessor2, the victim gives the attacker the ability to conduct repeated transactions without confirmation.
There were actually two attacks
A cryptocurrency enthusiast nicknamed Trust claimed on Twitter to have discovered the vulnerability first, withdrew 100 ETH belonging to Patrin and attempted to notify him of the incident.
Patrin, did not respond in time, and the attackers were able to trace Trust’s attack and repeat it, resulting in even greater losses. However, most of the funds were recovered within hours of the incident, and Boxchain experts are currently working to recover about 700 more ETH.
Head Chef calls for ‘revoke all chains’
As noted by 0xngmi, a developer for DefiLlama, the incident threatens the loss of funds to wallet holders who interacted with the decentralized platform for four days before the hack. So far, 190 Ethereum addresses and more than 2,000 addresses on Layer 2 Arbitrum have seemingly approved the vulnerable contract, notes The Block Research Analyst Kevin Peng.
Jared Grey, the Head Chef of SushiSwap has already called for the revocation of all chains. If you find yourself among those who have confirmed transactions with the smart contract at the link, revoke your approval of the transfers immediately, he stated.