SushiSwap Smart Contract Bug Leads to $3.3M Hack

Recovery efforts have seen a large portion of the stolen funds returned

article-image

David Sandron/Shutterstock modified by Blockworks

share

Exploiters found an approval bug in SushiSwap’s Route Processor 2, draining the smart contract of $3.3 million in funds over the weekend.

The majority of stolen funds belonged to a pseudonymous user known as sifuvision.eth or 0xSifu who was said to have lost 1,800 ETH

Blockchain security firm PeckShield urged any users who had approved the relevant smart contract to immediately revoke its approval.

A pseudonymous developer from DefiLama known as 0xngmi noted that the contract had only been deployed on-chain for around two weeks.

“I’m not sure if they were added to frontend back then or later with all the other deployments,” they said. “Best to be safe and assume that sushi approvals in last 2 weeks are all vulnerable.”

The majority of addresses that have approved the problematic smart contract are on Arbitrum and Polygon, though many of these wallets have already revoked its access. 

Route Processor 2 had been deployed on Arbitrum a few weeks ago for testing and audits. Deployment of the smart contract had happened a week ago, but the user interface only went on chain on Saturday, chief technical officer of SushiSwap Matthew Lilley said in a tweet

“The exploit was amplified due to an Immunefi submitter who decided to attempt to white hack the contract themselves, whilst we were in the midst of mitigation, by sending a transaction to the public mem pool, causing absolute havoc,” Lilley tweeted.

The white-hat hacker, later identified as trust__90, responded to the allegations: “​​Let’s take the opportunity to improve as a community and formulate clear policies for when white-hacking is the right thing to do (it’s usually not) and the exact procedure.”

Loading Tweet..

The 10 ETH that trust__90 received as a bounty for their recovery efforts will also be donated to a recovery fund.

“If my intention was to monetize from this hack there were a billion better ways. I’m here for the crypto users and will continue to ethically safeguard them for years to come,” they said. 

Recovery efforts are also well underway at time of publication. 90 ETH of a stolen 100 ETH has been returned by attacker 0x9deff, BlockSec’s fund visualization tool MetaSleuth shows.

Loading Tweet..

Additionally, SushiSwap’s Head Chef Jared Grey noted in a tweet that CoffeeBabe has returned over 300 ETH of sifuvision.eth’s stolen funds, and the SushiSwap team is in touch with Lido to recover an additional 700 ETH.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

recent research

Nillion_DeSci_Report_Template.png

Research

Nillion’s Monad Integration is poised to catalyze the next phase of DeSci’s evolution by eliminating key privacy bottlenecks. This synergy allows researchers, institutions, and DAOs to exchange sensitive data and insights securely while managing governance and payments onchain.

article-image

Celebrating the wisdom of a diamond-handed Bitcoin Legend

article-image

With the success of RWAs and stablecoins, DePINs could onboard the next wave of crypto users

article-image

Is crypto straying too far from things of value?

article-image

Firedancer and Solana ETFs look less significant than before

article-image

The newly passed House bill amplifies that strategic pivot for the Trump administration, from attempting austerity to running the economy hot

article-image

Unable to secure further funding, the game cycled through three different blockchains and at least five different game engines since 2018