Skip to content

SushiSwap Loses $3.3M in Exploit, Releases SEC Response

An "approved-related bug" in SushiSwap's RouterProcessor2 contract led to a 1,800 ETH drain at a time when the exchange is being grilled by the SEC

Image credit: Louis Hansel on Unsplash

Table of Contents

A SushiSwap exploit has resulted in a single user's account being drained of $3.3 million worth of ETH at a time when the exchange is facing scrutiny from the US Securities & Exchange Commission (SEC).

On Saturday, crypto personality Sifu was reportedly targeted by an "approved-related bug" in SushiSwap's RouterProcessor2 contract, in which 1,800 ETH was stolen. The 'RouterProcessor2' contract is used to conduct trade routing on the SushiSwap exchange.

The exploit came from the failure to validate access permissions during the swap transaction, and is reportedly also found on Polygon.

SushiSwap CEO Jared Grey confirmed the bug an hour after it had been reported, stating, "Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue."

On Sunday, SushiSwap CTO Matthew Lille said the team is "all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available."

Lille reassured that "there is no risk at this time with using Sushi Protocol, and the UI. All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do."

Sushi Subpoena

In late March, SushiSwap was subpoenaed by the SEC. Grey said at the time that the firm is cooperating with the SEC, which is demanding the production of documents related to a case under investigation.

Read more: SushiSwap Served With SEC Subpoena

SushiSwap said it plans to establish a legal defense fund to "cover legal costs for core contributors and multisig participants."

In the latest update, Grey released an official statement on SushiSwap's blog. "I am very limited in the amount and type of information that is appropriate to share publicly," he stated.

"Nevertheless, to give the community more information, my counsel and I have prepared a non-privileged “FAQ” below for the public to answer the most frequently asked questions I have received."

17 questions were listed in the Q&A, through which SushiSwap clarified that Grey is still is "cooperating with the SEC’s subpoena" and that his employer, Internet Three Software Company, "is also responding to the subpoena voluntarily to cooperate with the SEC’s investigation."

Read more: Do Kwon's Lawyers Slam SEC, Claim Terraform is Singaporean

SushiSwap also reassured that the investigation "does not mean that the SEC has concluded that Jared, Internet Three Software Company, or Sushi has violated any law."

"To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws," it added.

To the final question, "Do you think that Sushi has done anything wrong?" The exchange simply responded: "Not to our knowledge."

The world of Web3 can be quite a whirlwind. Whether it’s crypto news in Singapore, South East Asia or even across the globe, we understand how busy the industry is keeping you, so we kindly send out three newsletters each week:

  • BlockBeat for a wrap-up of the week’s digital assets news
  • Blockhead Brief for weekend happenings as well as what to look forward to in the week ahead
  • Business Bulletin for macroeconomic updates and industry developments.

To avoid FOMO and access member-only features, click here to subscribe for FREE.