The DeFi ecosystem was recently rocked by a major breach on April 9, when a smart contract bug on the SushiSwap project resulted in over $3 million in losses. According to security reports posted on Twitter by the blockchain security auditing firms Certik Alert and Peckshield, an approve-related bug in the platform’s Router Processor 2 contract exposed a single user’s account to the tune of 1,800 ETH, roughly equivalent to $3.3 million.
Several community members, particularly Sifu (the user whose funds were lost), expressed their shock at the hack, while DefiLlama, a pseudonymous developer, attempted to calm the situation by noting that only users who had interacted with the SushiSwap protocol in the four days prior to the breach were affected.
SushiSwap head developer Jared Grey jumped in to offer support, urging users to immediately revoke their permissions for all the contracts within the platform before any other funds could be stolen. Grey also released a GitHub list containing the contracts from multiple blockchains that needed revoking and reassured users that “Sushi Protocol”—which houses the favored user interface—was not affected by the exploit.
Fortunately, Gray also stated that most of the stolen funds were quickly recovered by a whitehat security team that was working around the clock. He specified that the funds that were retrieved—amounting to more than 300 ETH—were handed back to the victim Sifu while reiterating that the team was still in contact with members of the Lido team in an effort to return the remaining 700 ETH.
The news comes at a stressful time for SushiSwap, with Grey having recently broken the news of its SEC subpoena just two weeks prior. Despite the such disruption in the ecosystem, however, the SUSHI token has only dipped slightly over the past 24 hours—dropping by about 3%—which can be seen as a sign of confidence in the future of the project.
In 2021, the SushiSwap team was able to avoid a massive hack of their code, when a white hat hacker managed to discover a bidding bug that could have been exploited for $350 million. This incident was swiftly brought to the public’s attention by PeckShield, the same security resource that was the first to release an incident report about the April 9 breach.
Following the incident, SushiSwap CTO Matthew Lilley released a statement informing users of the incident and outlining his team’s efforts to identify any users who may have been exposed to partial or full losses of funds on the platform. He also, reassuringly, noted that the user interface was safe to use and that all exposure to the vulnerable RouterProcessor2 had been removed.
It is encouraging to see the team at SushiSwap take quick action and move to protect user funds after the massive exploit. Still, this incident serves as a warning to the entire DeFi community: Smart bugs represent a major threat to blockchain security and should not be taken lightly. Crypto audits and bug bounties must be conducted regularly, while users must remain aware of any suspicious activities related to their peripheral contracts. Only through these preventative measures can the DeFi ecosystem remain safe from similar misfortunes in the future.