SushiSwap Drained of 1800 WETH Due to RouteProcessor2 Contract Vulnerability

Summary #

On April 8, 2023, SushiSwap, a renowned decentralized exchange, came under attack due to a vulnerability in its newly launched RouteProcessor2 contract. The contract was part of the SushiSwap’s version 3 (V3) upgrades and was deployed on 14 different networks. Before SushiSwap could react, anonymous attackers exploited the vulnerability and managed to drain approximately 1800 Wrapped Ether (WETH) from user wallets.

Attackers #

The identity of the attacker is unknown.

• 0x8AC0B9656b7c39be0d3D73828D2041E8C0e27712

Losses #

• 1800 WETH ($3.3 million)

Timeline #

• April 8, 2023: SushiSwap soft launches V3 upgrades including the RouteProcessor2 contract.
• April 8, 2023: HYDN’s security team identifies a critical vulnerability in the RouteProcessor2 contract and raises the issue with SushiSwap’s core contributors.
• April 8, 2023: SushiSwap rolls back UI upgrades to prevent further token approvals on the vulnerable contract.
• April 8, 2023: A bounty hunter attempts a white-hat hack to rescue 100 WETH but fails as malicious actors discover the vulnerability through MEV bots and begin the attack.
• April 8, 2023: SushiSwap gives the green light for HYDN to start a white-hat rescue.
• April 26, 2023: SushiSwap releases a claim portal for users to claim their lost tokens.

Security Failure Causes #

Several reasons according to the SushiSwap post-mortem report:

• Lack of Contract Pausability: The contract did not include a pausability feature, which would have allowed for temporary halting in case of issues, mitigating risks.
• Use of Unlimited Approvals: The contract allowed unlimited token approvals, which is outdated and risky. Adopting one-time approvals per transaction would have been safer.
• Hasty Auditing Process: The contract was rushed through auditing, not giving auditors enough time for thorough analysis, leading to overlooked vulnerabilities.
• Suboptimal Rollout Procedures: The new contract rollout process was not robust enough. Including contracts in Immunefi’s scope list prior to deployment would have allowed for early vulnerability detection and responsible reporting by whitehats.