Unveiling the SushiSwap Approval Bug: How a $3.3M Exploit was Unleashed

Decentralized Exchange SushiSwap Hit by $3 Million Losses Due to Smart Contract Bug

Reports from blockchain security companies CertiK Alert and Peckshield reveal that a bug in the smart contract of SushiSwap, a decentralized finance (DeFi) protocol, resulted in losses of over $3 million on April 9. The bug was identified in Sushi’s Router Processor 2 contract, which aggregates trade liquidity from multiple sources and determines the most favorable price for swapping coins.

The hack is believed to have affected only users who made swaps on the protocol within the past four days, as per DefiLlama pseudonymous developer 0xngmi. In response, Sushi’s head developer, Jared Grey, urged users to revoke permissions for all contracts on the protocol and created a list of contracts on GitHub with different blockchains that require revocation to address the issue.

Grey took to Twitter hours after the incident to announce that a “large portion of affected funds” had been recovered through a white hat security process. He stated, “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

Sushi Community Faces Challenges

The incident comes amidst an intense weekend for the Sushi community, as Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission (SEC). Grey stated that the SEC’s investigation is a non-public, fact-finding inquiry to determine whether there have been any violations of federal securities laws by Sushi, and as of the time of writing, no conclusions have been made by the SEC regarding any violations.

Grey claims to be cooperating with the investigation, and a legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.


The recent smart contract bug on SushiSwap that resulted in losses of over $3 million highlights the ongoing security challenges faced by DeFi protocols. Prompt actions were taken by Sushi’s development team to mitigate the issue and recover the affected funds. However, this incident also adds to the existing regulatory scrutiny on DeFi protocols, as evidenced by the subpoena from the SEC. As the DeFi space continues to evolve, it is imperative for protocols to prioritize security measures and regulatory compliance to ensure the safety of users and their funds.

Leave a Reply

Your email address will not be published. Required fields are marked *