Key Takeaways
- SushiSwap was hacked on April 9.
- Attackers were able to siphon funds directly from the wallets of recent users of the protocol.
- SushiSwap is planning on helping victims recover their funds.
Share this article
Victims of the SushiSwap exploit have a chance of getting their funds back, whether they were preemptively taken by white hat hackers, or stolen by malicious actors.
Returning User Funds
SushiSwap has a plan to make its users whole.
The Ethereum-based decentralized exchange indicated on Twitter today that users that were affected by the protocol’s attack last weekend would be able to recover their funds.
SushiSwap is a decentralized finance project that enables its users to trade cryptocurrencies without needing to rely on a third party. On April 9, a fault in the protocol’s RouteProcessor2 smart contract allowed an exploiter to siphon tokens from users who’d previously approved the faulty contract.
It’s currently unclear how much was actually taken, as groups of white hat hackers quickly mobilized to pre-emptively siphon user funds in order to secure them from malicious parties. However, the attacker was able to steal at least 1,800 ETH (worth over $3.3 million at the time of the exploit) from a single SushiSwap user.
According to SushiSwap, the faulty smart contract was only deployed “in the last ten days”, meaning that users that hadn’t interacted with the protocol since April 2 were not impacted by the exploit. The exchange’s team highly encouraged users to revoke protocol approvals in any case, as a “good security practice.”
SushiSwap indicated that users whose funds had been swept by white hat security teams would be able to claim their funds shortly. The exchange’s development team is currently building a Merkle Claim contract to which users will be able to connect their wallets in order to receive their funds.
Users whose funds were siphoned by attackers will need to submit an email to the SushiSwap security team including transaction IDs and blockchain data for the lost funds. The team indicated that the process would take longer to process as a manual verification of the data would be necessary. “Our goal is to return all user funds to legitimate claimants. We appreciate everyone’s patience and understand your frustration as we work through returning funds to affected users,” the protocol stated.
Disclosure: At the time of writing, the author of this piece owned BTC, ETH, and several other crypto assets.