SushiSwap, the widely-used decentralized exchange, fell prey to a major cyber attack that resulted in a massive loss of $3.3 million. This security breach was caused by a vulnerability in the approval contract that the platform relies upon.
SushiSwap has been a critical player in the decentralized finance (DeFi) ecosystem, recognized for its groundbreaking and streamlined services. However, this latest occurrence has cast a shadow on the platform’s dependability and safety.
The perpetrators exploited a weak spot in the approval contract, allowing them to manipulate the system and obtain unauthorized access to a substantial amount of funds.
The exploit was related to a bug in the RouterProcessor2 contract, and both PeckShield and SushiSwap’s Head Chef, Jared Grey, suggest that it be revoked on all chains.
The technical root cause of the exploit, as described by Ancilia, Inc., is that “in the internal swap() function, it will call swapUniV3() to set variable ‘lastCalledPool,’ which is at storage slot 0x00.”
According to cybersecurity experts, “later on, the function will call updatePool() on the pool which was last called, while it should call updatePool() on the pool that the liquidity was added to. Because of this, an attacker can drain the liquidity of the pool that was last called, but the function will update the wrong pool, which results in an inconsistent state of the pool.”
In the aftermath of the event, the SushiSwap team has pledged to enforce additional security measures to prevent similar incidents from happening again. Furthermore, this attack has sparked a broader discussion within the DeFi community regarding the need for robust infrastructure and stringent security protocols.
As the inquiry into the incident progresses, more details will be disclosed to the public. In the meantime, it is critical for the DeFi community to stay alert and prioritize the safety of their users and platforms.