SushiSwap - April 9, 2023

Table Of Content

Share:

Introduction

SushiSwap is a decentralized exchange built on the Ethereum blockchain that utilizes an automated market maker (AMM) system to provide liquidity and facilitate token swaps. The organization aims to revolutionize the DeFi sector by incorporating a wide range of products, including decentralized lending markets, yield instruments, auction platforms, and staking derivatives. However, like many DeFi platforms, SushiSwap has experienced a significant security breach. In this analysis, we aim to shed light on this hacking incident, its impacts, the steps taken by the attacker, and recommendations for enhanced security.

Hack Impact

On April 9, 2023, SushiSwap suffered a security breach which led to a loss of over $3.3 million. The attack exploited a flaw in the RouteProcessor2 contract of SushiSwap's router processor. The fallout was felt across several major chains that had previously authorized the RouteProcessor2 contract.

SushiSwap Hack Explained

Step 1: Smart Contract Manipulation

The attacker set off the exploit by executing the processRoute() function within the vulnerable RouteProcessor2 contract, inserting an atypical argument. This action led the router to interact with a new contract that had been purposely prepared by the attacker.

Step 2: Swap Function Exploitation

The attacker used the uniswapV3SwapCallback()method within the vulnerable contract’s internal swap() function. This method was used to send tokens from the source account to the attacker-controlled recipient's address. No checks or pool verifications were performed before passing the user-provided pool parameter to the swap, enabling the attacker to set their pool address as the LastCallPool variable address.

Step 3: Token Theft

Having set their pool address, the attacker could then use the fraudulent pool’s uniswapV3SwapCallback function within its swap() function to bypass the msg.sender check. This allowed the attacker to steal the tokens of other users who had previously accepted the Routerprocessor2 contract.

Recommendation for Enhanced Security

As a mitigation strategy, it is highly recommended that user inputs are validated and modifiers are utilized on critical functionalities that may affect balances and user funds. Proper implementation of access control is also vital, with only the contract owner being allowed to perform critical transactions. Conditions should not be bypassable by any form of privilege escalations.

Transaction Analysis

The malicious activities initiated by the attacker were linked to the following addresses:

Attacker's address: 0x719cdb61e217de6754ee8fc958f2866d61d565cf

Attacker's transaction: 0xea3480f1f1d1f0b32283f8f282ce

RouteProcessor2 Vulnerable Contract: 0x044b75f554b886a065b9567891e45c79542d7357

Attacker's Contract: 0x000000c0524f353223d94fb76efab586a2ff8664

Funds Flow:

Conclusion

The SushiSwap incident underscores the crucial need for rigorous security measures and audits within the DeFi landscape. Despite being a prominent platform, even SushiSwap wasn't immune to security breaches, reminding us that every project, regardless of size or reputation, carries potential risks if not adequately secured.

The pace of the DeFi world necessitates the utmost priority to smart contract security. Implementing rigorous security procedures, conducting thorough audits, and maintaining transparent communication with the community are all fundamental to safeguarding the platform and users' assets.

Organizations like BlockApex, with their expertise in smart contract auditing, can help platforms identify and mitigate potential vulnerabilities before they're exploited.

This incident is a timely reminder of the importance of security in the thriving yet risky landscape of DeFi. It's essential for platforms to maintain robust security protocols to foster trust and ensure their continued success.

Also, read our Hack Analysis on Merlin DEX!

More Audits

SAFEMOON - March 29, 2023

Safemoon suffered an attack in which the SFM/BNB pool was drained, resulting in a loss of $8.9M worth of ‘locked LP’. The attack was carried out by exploiting a vulnerability in the new Safemoon contract that allowed anyone to burn SFM tokens from any address, thus inflating the price of SFM tokens in the pool.

Rari Capital Hack Analysis & POC

Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance which had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

DeFiGeek Community JAPAN - Hack Analysis (Apr 17, 2023)

On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102

Chainpals Token Audit Report

The main contract is called Chainpals Token. The minting and transfer of the complete supply is done during deployment. This means new tokens can only be minted if the old ones are burnt.

Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar contract.

The Big Fuzz Theory: The Dark Fuzz Rises

Learn how Fuzz Driven Development (FDD) transforms software testing by assisting programmers and testers in overcoming prejudices for improved code quality, security, and performance.

Blockchain Trilemma: The Three Fighting Factors

Blockchain Trilemma - coined by Vitalik Buterin himself, is a condition in which the blockchain undergoes a compromising stage. It is truly believed that a fully decentralized network can never be scalable and secured at the same time.

Orion Protocol - February 4, 2023

The attackers exploited a reentrancy vulnerability in the Orion Protocol's core contract, ExchangeWithOrionPool, by constructing a fake token (ATK) with self-destruct capability that led to the transfer() function.

The DAO Dichotomy: Public Interest Or Personal Gain?

DAOs can be seen as the next step in achieving this vision, eliminating the use of intermediaries in corporate governance. Functioning via an interconnected network of smart contracts, these Decentralized Autonomous Organizations are essentially communities that are fully managed and owned by their members.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023