Bitcoin btc
$ usd

SushiSwap Exploit Leads to Over $3M Loss For Users; SUSHI Drops 6%

2 mins
Updated by Ryan James
Join our Trading Community on Telegram

In Brief

  • At least one SushiSwap user lost $3.3 million to an approve-related bug in the DEX RouterProcessor2 contract.
  • Peckshield reported that the exploited contract was deployed on several chains, including Ethereum, BSC, and Polygon.
  • SUSHI has fallen by more than 5% following the news.
  • promo

Decentralized exchange (DEX) SushiSwap is the latest victim of a DeFi exploit causing at least $3.3 million in losses for one user.

Blockchain security firm Peckshield reported that the exploit was caused by an approve-related bug in its RouterProcessor2 contract. To prevent losses, the firm recommended that users revoke permission to the contract.

Peckshield added that the exploited contract was deployed on several chains, including Ethereum, BSC, Polygon, Fantom, Avalanche, etc.

SushiSwap Confirms Exploit

SushiSwap’s Head Chef, Jared Grey, confirmed the incident and advised users to revoke all chains. He added that the protocol was working with security teams to mitigate the issue.

It is uncertain how many people were affected by the hack. But Peckshield has identified at least one user, OxSifu. The popular DeFi personality lost about 1,800 ETH worth $3.3 million to the exploit.

SushiSwap Exploit
SushiSwap Exploit. Source: PeckShield

One white hat hacker who discovered the bug initially took 100 ETH from the OxSifu wallet, likely to highlight the bug. But others quickly deployed the contract and started copying the attack. Other users have also begun confirming that they lost their funds. 

How Was SushiSwap Exploited?

Cybersecurity firm Ancilla gave a technical explanation of what happened. The firm wrote:

“Root cause is because in the internal swap() function, it will call swapUniV3() to set variable “lastCalledPool” which is at storage slot 0x00. Later on in the swap3callback function the permission check get bypassed.”

According to DeFillama developer 0xngmi, the users likely to be affected are those approved on SushiSwap over the last two weeks, as the contract has been deployed on some chains for up to 2 weeks. Thus, the safest decision would be to revoke all approvals.

Some developers have also built a tool allowing users to search their addresses and see if they are impacted.

Furthermore, the exploit highlights the multiple issues of the DeFi ecosystem, even in what has been a relatively quiet year for hacks and exploits. One user captured the frustration with a tweet saying, “Honestly just take my tokens. This is exhausting.”

SUSHI Tanks 6%

Following news of the exploit, the SUSHI token is down 6% in the last 24 hours to $1.07 at the time of writing, according to BeInCrypto data.

Sushi Price Performance
Sushi Price Performance (Source: BeInCrypto)

Earlier in the week, Grey pointed out that the DEX’s cross-chain swap (xSwap) was seeing significant volume increases.

BeInCrypto reported that the DeFi platform’s decentralized autonomous organization (DAO) was recently targeted by the United States Securities and Exchange Commission (SEC). According to the report, the DAO is setting up a legal defense fund to cover legal costs for core contributors.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.

Oluwapelumi Adejumo
Oluwapelumi believes Bitcoin and blockchain technology have the potential to change the world for the better. He is an avid reader and began writing about crypto in 2020.