SushiSwap announces strategy to reimburse  user funds stolen in $3.3M hack

SushiSwap has announced a commitment to reimburse all affected users after being hacked over the weekend.

User funds were either “swept by whitehat security teams” or “lost to blackhat hackers,” according to the decentralized exchange. If the funds are in the whitehat contract, it signifies that the money was recovered by the security teams, and users will be able to get their hands on it. To transfer the recovered money to user wallets, SushiSwap will create a Merkle Claim contract.

? RouteProcessor2 Exploit & User Refund Update!

? Read the below thread about: what's next for affected user funds and what processes we're setting up to return user funds.

?️ Firstly, please know that Sushi's Swap web app is safe to use now!

???

— Sushi.com (@SushiSwap) April 12, 2023

However, users would have to wait longer for a refund if their funds are still tied to the Blackhat contract. This is due to the fact that each claim must be carefully examined by the decentralized exchange using on-chain data analysis before it can be paid out.

Users that did not contact the protocol within the last 10 days are probably not harmed by the attack, according to the decentralized exchange. Nonetheless, as a security precaution, the team advised users to double-check their permissions.

A RouterProcessor2 contract bug that was approve-related was used against SushiSwap on April 9. Assets belonging to users who approved the weak contract were taken, resulting in a loss of about $3.3 million overall.

SushiSwap hack

Blockchain security firms CertiK Alert and Peckshield claim that the bug affected Sushi’s Routing Processor 2 contract’s approval function. This smart contract is in charge of gathering trade liquidity from various sources and figuring out the best price for exchanging coins.

Only individuals who had traded on the decentralized exchange over the previous four days were impacted by the vulnerability. Jared Grey, the chief developer of SushiSwap, advised users to remove rights for any contract on the protocol. 

To solve the problem, a list of contracts requiring revocation was made on GitHub. A “significant amount of damaged funds” was quickly retrieved using a white hat security procedure after the event.

90 of the stolen ETH were returned by one of the attackers, while BlockSec, a security company, retrieved another 100 ETH.