The SushiSwap platform was the target of an attack. For the moment, its governance token does not seem particularly affected by the news. But here’s what happened.
SushiSwap, the target of an exploit
The decentralized exchange (DEX) SushiSwap announced this Sunday, April 9 that it was the subject of an attack. According to the first information, it would be an exploit. In other words, the malicious actor exploited the platform’s security flaws to steal funds.
No relevant information was delivered on the identity of the hacker. What we do know, however, is that through his operation, he managed to steal some $ 3.3 million in assets from the platform. Funds belonging to a user known as 0xSifu on Twitter.
According to Jared Grey, the boss of SushiSwap, the latter is not the only one to have been affected by the attack. At least 2000 addresses of the decentralized layer 2 platform Layer 2 Arbitrum are suspected to have been affected. The situation is similar for around 190 addresses based on the Ethereum blockchain.
Reactions following the attack on SushiSwap
For the time being, the stakeholders have not communicated on the funds that all these addresses have potentially lost. One thing is certain, however: all of them were duped by the malicious hacker.
The latter would have pushed them to give their credit to the bad “SushiSwap Router Contract Approval Mechanism”. This, through a bug that allowed him to bypass the permission check.
In this regard, Ancilia, Inc., a cybersecurity service provider, provided some technical details. He explains that “in the internal function swap”, the hacker has set the variable lastCalledPool (storage location 0x00), under swapUniV3. This would in fact be the main cause of the attack. Because, by validating the wrong contract, all the targeted users have in fact authorized, without knowing it, the theft of their assets.
It is not known, for the moment, if these could be recovered. SushiSwap, which is working to improve, however indicated that it “Working with security teams to mitigate the issue.” In particular, it is planned to revoke all contracts related in one way or another to the cyberattack. An affected address verification tool is also announced.
Receive a digest of news in the world of cryptocurrencies by subscribing to our new service of daily and weekly so you don’t miss any of the essential Tremplin.io!
