Decentralized stock market SushiSwapannounced that at least one user, known as 0xSifu, suffered a hack that lost more than $3.3 million.
The hack in question is PeckShield and SushiSwap Chief Jared GrayDue to a validation-related error in the RouterProcessor2 contract that suggested to be canceled on all chains evolved.
Ancilia, Inc. In clear, technical terms, it “calls swapUniV3() in the internal swap() function to set the “lastCalledPool” variable located in storage slot 0x00,” according to the company. The cybersecurity account added that “the permission check was then bypassed in the swap3callback function.”
Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue. https://t.co/WhXJfa5xD4
NEWS CONTINUES BELOW— Jared Gray (@jaredgrey) April 9, 2023
“The yoink function was used by the first hacker, because the attack vector was an error in the “validation” mechanism of the Sushi swap router contract,” said Brad Kay, The Block Research Analyst.
According to Kay, this vulnerability allows an unauthorized asset to be taken without any consent of the token holder. According to research, the first attack was for 100 ETH, but right after this attack, a bona fide hacker took 1800 ETH using the same contract, but did not misuse these assets.
@0xngmi stated that this attack should only affect those who have used Sushiswap in the last four days. Authorities released chain contracts that had to be revoked immediately after the attack, and developed a tool that helps address holders check whether they have been affected by the attack.
According to Kevin Peng, there are at least 190 Ethereum wallet addresses affected by this vulnerability. However, more than 2000 addresses in the Arbitrum layer-2 network may have been affected by the attack.
The news has had little impact on the price of the native token of SushiSwap, but the trajectory is not clear yet as developments continue.
You can follow the current price action here.