A bug on SushiSwap’s smart contract led to a $3.3 million loss, affecting only users who traded on the decentralized exchange in the last four days, but a large portion of affected funds were recovered through a whitehat security process.
Several security reports on Twitter reveal that in the early hours of April 9, a bug on a smart contract in the decentralized finance protocol SushiSwap caused over $3 million in losses, underscoring the weaknesses of decentralized finance systems, specifically in smart contracts which facilitate automated transactions without human oversight.
The bug was discovered by blockchain security companies Certik Alert and Peckshield, who reported an unusual activity related to the approval function in Sushi’s Router Processor 2 contract. This contract is a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.
The bug appears to have affected only users who have traded on the decentralized exchange in the last four days. Sushi’s head developer Jared Grey urged users to revoke permissions for all contracts on the protocol, noting that “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue.” A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.
In the wake of the incident, Grey took to Twitter to announce that a “large portion of affected funds” had been recovered through a whitehat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.” The recovery of the funds is good news for SushiSwap users, but it raises questions about the security of DeFi systems and the need for increased vigilance.
The incident is just the latest in a series of challenges faced by SushiSwap. The platform has been under scrutiny by regulators, with the United States Securities and Exchange Commission (SEC) launching an investigation into the platform.
Grey and his counsel provided comments on the recent subpoena from the SEC, stating that “the SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.”
Grey claims to be cooperating with the investigation, and a legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21. The incident highlights the challenges faced by DeFi platforms, particularly as they come under increased scrutiny from regulators.