Benzinga - Over the weekend, SushiSwap suffered a major security breach when a bug in its RouterProcessor2 contract was exploited, resulting in the theft of approximately $3.3 million from Ethereum (CRYPTO: ETH) from a user's wallet.
PeckShielda blockchain data security and analytics firm, confirmed that the "approval-related bug" in the contract allowed the attacker to steal 1,800 ETH from the victim's wallet.
It looks like the @SushiSwap RouterProcessor2 contact has an approval-related bug, causing @0xSifu to lose >$3.3M (about 1800 eth).
If you endorsed https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
An example of a tx hack: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
Binance-supported (CRYPTO: BNB) cybersecurity company Old conducted a separate analysis and found that the flaw resulted from a failure to validate access permissions during an exchange transaction.
3/ The main cause is that in the internal swap() function, it will call swapUniV3() to set the "lastCalledPool" variable which is in storage location 0x00. Later in the swap3callback function, the permission check is bypassed. pic.twitter.com/LN0Ppsob9a
— Ancilia, Inc. (@AnciliaInc) April 9, 2023
The vulnerable contract was also discovered on the Polygon network.
Also Read: BRICS Currency Game-Changer: Impact of Financial Earthquake on Global Economic Dynamics
Jared Graythe "head chef" of SushiSwap, confirmed the bug and urged users who had interacted with the blockchain to revoke all permissions granted to contracts on the exchange.
CTO Matthew Lilley also gave more details, saying the company was identifying all affected addresses and working to recover funds as they became available.
Lilley also provided a tool to help users check exposure on various networks.
Despite the hack, the price of the SushiSwap (CRYPTO: SUSHI) token has fallen only slightly over the past 24 hours.
It should be noted that SushiSwap narrowly avoided a major hack earlier this year when a "white hat" crypto researcher discovered an auction bug that could have resulted in a $350 million loss.
Read Next: DOGE's Spectacular Dive After Twitter Logo Inversion: Did the Meme Coin Bubble Burst?
Photo: Shutterstock
© 2023 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Read the original article on Benzinga
Get the app
Join the millions who stay on top of the global financial markets with Investing.com.
Download now