A bug on a smart contract on the decentralized finance protocol SushiSwap led to over $3 million in losses in the early hours of April 9.
Blockchain security companies CertiK Alert and Peckshield posted about an unusual activity related to the approval function in Sushi’s Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favourable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.
Sushi’s head developer, Jared Grey, urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he said. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.
The Sushi community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission.
The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws.
Grey claims to be cooperating with the investigation. A legal defence fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.
