A bug introduced into SushiSwap four days ago was exploited late Saturday to drain about $3.3 million in Ethereum from a single user’s account.
According to blockchain security and data analytics company PeckShield, a wallet controlled by the victim—a prominent member of the Crypto Twitter community known as Sifu—was targeted by an “approve-related bug” in SushiSwap’s RouterProcessor2 contract to steal about 1,800 ETH.
Ancilia, a cybersecurity startup supported by Binance, concluded that the weakness was the failure to confirm access permissions halfway through a swap transaction. The vulnerable contract was also discovered on the Polygon network by the business.
Around an hour later, SushiSwap “head chef” Jared Gray confirmed the issue and exploit, repeating Peckshield’s advise that users who have interacted with the SushiSwap blockchain withdraw all permissions provided to its contracts. Grey first reported on SushiSwap’s SEC subpoena two weeks ago.
More than 300 ETH of Sifu’s stolen funds have since been recovered, with another 700 ETH in the works. MetaSleuth, a crypto visualisation tool, has been tracking the recovery attempt.