An exploit on the decentralized exchange SushiSwap resulted in the theft of more than $3.3 million from at least one user, identified on Twitter as 0xSifu. PeckShield and SushiSwap Chief Chef Jared Grey advise cancelling the RouterProcessor2 contract on all chains due to the exploit’s approve-related issue.
The primary cause cited by Ancilia, Inc. is the invocation of the swapUniV3() function within the internal swap() function, which sets the “lastCalledPool” variable in storage slot 0x00.
According to reports, the number of SushiSwap users who may be affected is currently believed to be relatively small. @0xngmi from DeFi Llama has suggested that only users who swapped on SushiSwap within the last four days may be impacted, and they have provided a list of contracts that need to be revoked and a tool to check if any of your addresses have been affected.
The Block Research Analyst Kevin Peng has noted that around 190 Ethereum addresses have approved the problematic contract, but more than 2000 addresses on Layer 2 Arbitrum have apparently done so. Despite the news, the price of Sushi’s governance token has only dropped by 0.6% in the last hour. In response to the issue, Grey, who is also pursuing a $3 million legal defense fund from Sushi DAO after Sushi was subpoenaed by the U.S. Securities and Exchange Commission, tweeted that Sushi is working with security teams to address the problem.
It’s recommended to revoke SushiSwap contracts (as well as unknown contracts) using Revoke.cash on all active networks.