Sushi

Exploit

Estimated loss

$200.00M

VERDICT —UNRATED

Verdict pending. Auto-ingested incidents are reviewed before a public verdict is rendered.

▰ METHOD

Undisclosed

Root cause

Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.

▰ PROOF OF CONCEPT

DEFIHACKLABS

src/test/2023-04/Sushi_Router_exp.sol

view forked test on github ↗

Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.

Forensic narrative

Decentralized exchange SushiSwap has fallen victim to an exploit, which led to the loss of more than $3.3 million from at least one user, known as 0xSifu on Twitter. The exploit involves an approve-related bug on the RouterProcessor2 contract — which PeckShield and SushiSwap Head Chef Jared Grey recommend revoking on all chains. Reported loss: $200,000,000.

Primary source

https://www.theblock.co/post/225473/sushiswap-hack?utm_source=twitter&utm_medium=social ↗

Sourced from

chainsec

Technical record