Controversial crypto investor Sifu of the Wonderland infamy, has reportedly lost $3.3 million after a hack of the SushiSwap token approval system.
Sifu was ousted as treasury manager of the DeFi protocol following his identification in 2022 as Michael Patryn, co-founder of failed Canadian crypto-asset exchange Quadriga. A former convict who did time for bank fraud, Sifu was not accused of wrongdoing at Wonderland.
The exploit was discovered on April 9 and has primarily affected Sifu, who is well-known in the crypto Twitter community. Blockchain security company PeckShield reported multiple transactions from an address that has been linked to Sifu.
Also read: Twitter Restores Substack Embeds to End Days of Tension
Revoking SushiSwap contract
The company said the attack was caused by a bug on the RouterProcessor2 contract, which related to the SushiSwap token approval system. PeckShield and SushiSwap Head Chef Jared Grey recommended revoking this specific contract across all chains.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu.
If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!
One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q
— PeckShield Inc. (@peckshield) April 9, 2023
When users approve a bad contract, they inadvertently give the exploiter permission to take their tokens in a process called a “yoink.” According to Brad Kay, an analyst at The Block Research, the unauthorized entity takes tokens without the owner’s proper approval due to the bug.
Kay explains that the first attack – possibly a white hacker – used the buggy contract to take 100 ETH from the account before another stole around 1,800 ethereum tokens. Altogether, the bug allowed the hackers to drain $3.3 million worth of ETH from Sifu’s account.
It is unclear whether other users were affected by the exploit. But the pseudonymous founder of Defillama, 0xngmi, claimed only those who swapped on SushiSwap over the last four days should be affected. He also published a list of contracts he recommended be revoked.
SushiSwap is a decentralized exchange that allows users to trade cryptocurrencies without the need for an intermediary. The platform has gained popularity in recent years due to its low fees and ease of use. However, it has also been the target of several hacks and exploits in the past.
Sifu silent as funds are recovered
Writing on Twitter, SushiSwap chief technology officer Matthew Lilley said:
“We’re urrently all hands on deck working through identifying all addresses that have been affected by the RouterProcessor2 exploit. Several rescues have been initiated, and we are continuing to monitor / rescue funds as they become available.”
Sifu appeared not to have directly responded to news of the hack at SushiSwap. But he retweeted the rumbling write up below, which seems to corroborate earlier reports of the first 100 ETH attack on his account being the work of a white hacker.
People are saying all kinds of terrible things while being uninformed so allow me to share more details.
I've initiated coordination privately with Immunefi officials 3 hours before the white-hack. 90 minutes later, I realized the asset is currently used by the frontend and…— Trust (@trust__90) April 10, 2023
Some stolen funds are also being returned. Security firm BlockSec recovered about 100 ETH, according to pseudonymous crypto analyst Meta Sleuth.
“The negotiation between sifuvision.eth and c0ffeebabe.eth is underway. And the majority of stolen funds went to beaverbuild @beaverbuild, rsync-builder, and Lido: Execution Layer Rewards Vault @LidoFinance,” Meta Sleuth said.
Although SushiSwap implemented a number of security measures to prevent similar attacks from occurring in the future after a series of attacks over the past few years, hackers are finding a way around them.
The incident highlights the risks associated with decentralized finance platforms, which operate on the principle of trustlessness and are often vulnerable to attacks due to the complexity of their smart contracts. It also underscores the importance of auditing and testing smart contracts thoroughly before deploying them to the mainnet.