SushiSwap, a DeFi protocol, was exploited over the weekend that resulted in the loss of $3.3 million (roughly Rs. 27.03 crore). As per blockchain firms CertiK and Peckshield, a smart contract around function approvals was exploited by hackers to facilitate this attack on April 9. Researchers have claimed that SushiSwap users who engaged with the protocol between April 4 and April 9 were most likely to have been affected as part of this attack.
The smart contract that aggregates trade liquidity from multiple sources and identifies the most favourable price for swapping coins was targeted by the hackers, Cointelegraph said in a report.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
Jared Grey, the head developer of SushiSwap has suggested all protocol users to pull back permissions for all contracts of the Ethereum-built protocol.
We’ve secured a large portion of affected funds in a whitehat security process. If you have performed a whitehat recovery please contact security@sushi.com for next steps.
— Jared Grey (@jaredgrey) April 9, 2023
Grey has however suggested people to avoid engaging with the protocol for the time being.
Check your addresses with this tool:https://t.co/4kXrWAgEss
— Jared Grey (@jaredgrey) April 9, 2023
This exploit marks the second biggest hack attack in the DeFi space this year so far.
In March, DeFi lending protocol Euler Finance lost at least $177.6 million (roughly Rs. 1,455 crore) in an exploit.
Hackers who target DeFi protocols often identify vulnerabilities in the open-source nature of the platform’s code to gain unauthorised access.
Earlier last week, the US Treasury department sounded an alert that DeFi services are being severely misused to process illegal transfers. In its recent illicit finance risk assessment on decentralised finance, the Treasury found that notorious actors are exploiting vulnerabilities in the usual anti-money laundering and combating the financing of terrorism (AML/CFT) regulation.
DeFi services that fail to comply with these obligations to prevent money laundering and terrorism financing pose the most significant illicit finance risk in this domain, the assessment found.
In 2022, an array of hack attacks on DeFi protocols resulted in the loss of $3.8 billion (nearly Rs. 31,100 crore), a recent report by Chainalysis had said.
As of January this year, financial losses incurred due to crypto exploits dropped by 93 percent, as compared to the same month last year, a report by PeckShield stated in February.
GIPHY App Key not set. Please check settings