Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
A flaw in a smart contract on the decentralized finance (DeFi) platform SushiSwap resulted in losses exceeding $3 million during the early hours of April 9, as reported by various security sources on Twitter.
Blockchain security firms CertiK Alert and Peckshield highlighted unusual activity concerning the approval function in Sushi’s Router Processor 2 contract — a smart contract that consolidates trade liquidity from various sources and determines the optimal price for coin swaps. Within a few hours, this flaw caused losses amounting to $3.3 million.
It appears that the @SushiSwap RouterProcessor2 contract has an approval-related flaw, resulting in a loss of >$3.3M (approximately 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* IMMEDIATELY!
One example of a hack transaction: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q— PeckShield Inc. (@peckshield) April 9, 2023
As per DefiLlama pseudonymous developer 0xngmi, the breach is expected to impact only those users who engaged in swaps on the protocol within the last four days.
Sushi’s lead developer, Jared Grey, advised users to revoke permissions for all contracts associated with the protocol. “Sushi’s RouteProcessor2 contract has an approval flaw; please revoke approval IMMEDIATELY. We are collaborating with security teams to address the issue,” he stated. A compilation of contracts on GitHub across various blockchains that require revocation has been established to tackle the situation.
Related Posts
We’ve confirmed the recovery of over 300ETH from CoffeeBabe of Sifu’s stolen assets. We are in discussions with Lido’s team regarding an additional 700 ETH.
— Jared Grey (@jaredgrey) April 9, 2023
Shortly after the incident, Grey took to Twitter to report that a “significant portion of the affected funds” had been retrieved through a white hat security initiative. “We’ve confirmed the recovery of over 300ETH from CoffeeBabe of Sifu’s stolen assets. We are in contact with Lido’s team regarding 700 more ETH.”
The Sushi community experienced a tumultuous weekend. On April 8, Grey and his legal team provided insights regarding the recent subpoena from the United States Securities and Exchange Commission.
“The SEC’s investigation is a non-public, fact-finding inquiry aimed at determining whether there have been any breaches of federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) reached any conclusions indicating that anyone associated with Sushi has violated United States federal securities laws,” he remarked.
Grey asserts that he is cooperating with the investigation. A proposal for a legal defense fund in response to the subpoena was introduced on Sushi’s governance forum on March 21.
Magazine: Hodler’s Digest, April 2-8: BTC white paper hidden on macOS, Binance loses AUS license and DOGE news
