SushiSwap will shortly begin returning funds to users after a defective smart contract resulted in over $3.4M in losses over the weekend, but the majority of the stole assets remain unrecovered.
Tuesday, Sushi announced that approximately $51,000 worth of user assets secured by white-hat hackers will soon be available for claim. White-hat hackers typically receive a bounty in exchange for securing funds that are at risk of being misappropriated by exploiting code vulnerabilities.
While funds seized by hostile “black-hat” hackers are irretrievable, Sushi is working on a claim process to compensate affected users.
On Monday, the ‘head chef’ of Sushi, Jared Grey, tweeted that users could once again trade safely on the platform and implored recent users to revoke approvals for the exploited RouteProcessor2 contract.
The incident emphasizes the significance of implementing stringent security measures when conducting transactions on-chain. Community-trusted and battle-tested protocols may still be vulnerable to exploits or ship defective code.
Sunday, PeckShield, a blockchain security company, discovered the vulnerability. It targeted contracts deployed within the previous ten days, leaving wallets that recently granted Sushi permission to execute transactions susceptible to attack.
The attack exploited vulnerabilities in Sushi’s recently deployed RouteProcessor2 contract, which users were required to pre-approve prior to trading ERC-20 tokens on the platform. However, the contract erroneously authorized the “pool address” to withdraw funds approved for trading by Sushi users who were unaware.
Grey stated that the exploit only affected users who had recently traded assets on the exchange, emphasizing that liquidity providers are unaffected.
Trust, a pseudonymous white-hat programmer, discovered the vulnerability first. Trust attempted to communicate with the Sushi team about the vulnerability. After not hearing from Sushi for several hours, Trust attempted to capitalize on the vulnerability by swiping 100 ETH from a compromised wallet in an attempt to beat malevolent actors to the punch.
PeckShield noted that a wallet controlled by Sifu’s Vision, an investment collective administered by 0xSifu, a current advisor to and former CFO of Wonderland, was responsible for the loss of 1,800 ETH ($3.4M) of the stolen funds. Grey verified the news on Twitter, stating that “the vast majority of the exploited funds belonged to a single user.”
0xSifu was exposed as one of the co-founders of the doomed Canadian exchange QuadrigaCX, which caused the transaction to collapse. During the drama, he was voted out of the project, but he was reinstated in January after garnering 93% of the ballots cast in a governance vote.
Grey reported on Sunday that Sushi had recovered 300 ETH and was in discussions with Lido, an Ethereum validator and liquid staking provider, regarding the recovery of an additional 700 ETH.
Read Also: Keiji Inafune and Seiichi Ishii with Minnapad for New Web3 Projects
Disclaimer: The information provided in this article is for informational purposes only and should not be construed as financial or investment advice. Cryptocurrency investments are subject to market risks, and individuals should seek professional advice before making any investment decisions.
Comments are closed.