Veröffentlicht von • The RouteProcessor2 contract was recently deployed and allows users to pre-approve for token swaps. Unfortunately, this contract interacts with UniswapV3 pools in an unsafe manner which allowed malicious actors to exploit a vulnerability and gain access to user funds.
• A pseudonymous white-hat hacker known as Trust was able to save a significant amount of users‘ funds by performing a preemptive April 10 hack on the funds held by Sifu, only to return those funds after moving them to safety.
• The complexity of MEV bots further exacerbated the situation, raising concerns about the maturity of the production codebase and emphasizing the need for improved security measures.
Introduction
This article is an exclusive interview with pseudonymous white-hat hacker known as Trust regarding their recent hack that took advantage of a vulnerability in the RouteProcessor2 contract on SushiSwap.
Vulnerability Details
The RouteProcessor2 contract is designed to oversee various types of token SushiSwap (SUSHI) swaps. Users pre-approve the contract to spend their ERC20 tokens, and then call the swap() function to execute the swap. However, due to insufficient security measures, this allows any user to fake a swap and gain access to another user’s entire approved amount simply by providing false information about source and amount of transfer.
Trust’s Hack
Trust decided to perform a preemptive hack for several reasons, such as not receiving response from development team after submitting vulnerability report one and a half hours before the hack, being afraid that team might not be available during weekend or understanding that contract couldn’t be fixed but hacked or have user approvals revoked instead. Despite saving majority of funds at risk they didn’t anticipate complexity of MEV bots in situation resulting in loss for some users too.
Implications
The oversight allowed by RouteProcessor 2 raises serious concerns about maturity of production codebase necessitating improved security measures moving forward. In addition presence of highly sophisticated MEV bots highlighted extensive resources available for malicious actors making it important for crypto community members remain vigilant when dealing with DeFi protocols like SushiSwap.
Conclusion
This incident highlights how crucial it is for all crypto services providers—from developers and auditors through exchanges—to prioritize security when building products based on blockchain technology so that users can trust these services with their assets safely and securely without fear of exploitation from malicious actors.