The crypto industry got a bit too close of a call this past weekend. In the early hours of April 9th, a bug in the approval router of the decentralized finance (DeFi) protocol SushiSwap was exploited, resulting in the loss of over $3 million worth of Ethereum. Security resources such as Certik Alert and PeckShield quickly notified the community of the approval bug, which resulted in a major token loss. The hacker was able to access and drain 1,800 ETH (worth roughly $3.3 million) from @0xsifu, a prominent member of the Crypto Twitter community.
The head chef of the Sushi Protocol, Jared Grey, immediately released an alert on the protocol’s networks, urging users to revoke approval of all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he urged.
The protocol’s CTO, Matthew Lilley, was also quick to act. He identified the bug as the failure to validate access permissions during a swap transaction, a security flaw found on a few of the protocol’s networks, not just the Ethereum Network. He also quickly released a tool that allows users to check for exposure across a variety of networks, including Ethereum, Polygon, Avalanche, Arbitrum, Gnosis, and Optimism.
Amazingly, the price of SushiSwap’s SUSHI token only took a minor dip after the incident, only down 3%. Grey also noted Grey and his security team had recovered more than 300 ETH of Sifu’s stolen funds, and they were working with Lido’s team to reclaim another 700 ETH in process.
The SushiSwap incident comes at a time when the protocol’s community was already dealing with another major incident of its own. Just two weeks ago, Grey broke the news of SushiSwap’s subpoena from the United States Securities and Exchange Commission (SEC).
“The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” Grey stated.
While the SEC’s investigation remains ongoing, SushiSwap were quick to take action against their own security issue this past weekend. Thanks to the quick response team and a whitehat “rescue” process, the immediate danger of the approval bug was averted.
When it comes to blockchain security, it’s more important than ever to have an experienced team of cybersecurity experts ready to respond to any threats. Companies must invest smartly in secure communication methods and secure sources of communication such as protocols and open source libraries. That may include audits, bug bounties, and the monitoring of results.
But the SushiSwap bug serves as an important reminder that protocols should also have a secure approval process. A security vulnerability such as an approval bug can cause irrevocable damages to a protocol’s reputation, and to the entire crypto industry.
The crypto security community was lucky this weekend to have been able to prevent a major financial disaster. But the incident serves as a warning that protocols should always be aware of security flaws, and should always have an experienced team of cybersecurity professionals ready to jump into action.
