SushiSwap hack overview
Today, on April 9, a DeFI exchange SushiSwap has been victimized by an exploit that resulted in the loss of more than $3.3 million by at least one user, known on Twitter as 0xSifu.
The exploit is related to a RouteProcess02 contract approval error, which PeckShield and SushiSwap chef Jared Gray recommended revoking on all chains.
The main reason for the vulnerability, according to Ancilia, Inc., is “ because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed”.
DeFi Llama’s @0xngmi says the problem only affected those who made swaps to SushiSwap within the last four days. A list of all networks’ contracts to be revoked has also been published, and a tool has been created to check if any of the user’s addresses are affected.
The Block Research Analyst Kevin Peng explains that, so far, 190 Ethereum addresses have approved the vulnerable smart contract. However, over 2,000 addresses on Layer 2 Arbitrum appear to have approved the problematic contract as well.
SmartState summary
As far as we see, there are no public audits available for the smart contract RouteProcess02 at this time. If non-public internal audits were performed, the bug seems to have been missed.
The best practice when making updates to a blockchain project is to do an internal audit and, preferably, an external audit as well. This is especially important for projects that have extensive functionality and are expanding their project logic. With a large set of functions and complex interactions between them, when expanding a project, it is possible to overlook logical changes that arise when adding new functionality to an existing set.
About SmartState
Launched in 2019 and based in Dubai, SmartState is one of the leading DeFi security auditing firms. We conduct security tests and check the code core, smart contracts and blockchain for all types of errors, vulnerabilities and other issues.
Although SmartState gave a start to operations with smart contract auditing of DLT-projects, from the very beginning, we made our services surpass the classic purview of smart contract audit and security testing. We specialize in manual testing, so the SmartState’s tech team of white-hat security professionals measure up a project’s git and offer guidelines and recommendations for its further advancement. Security audit reports review the threats and vulnerabilities with which codebases may be exploited in the future, as the network achieves scalability and expands to accommodate more use cases and functionality.
Stay tuned and find more about us and what we provide on our:
This article does not constitute legal, financial or investment advice, and we are not responsible for any decisions based on our analysis or recommendations.
