Sushiswap RouteProcessor2 Attack Event Analysis

lunaray
2 min readApr 13, 2023

Event Background:

The Sushiswap project was attacked on April 9, 2023, and suffered a loss of approximately 1800 ETH, about 3.34 million US dollars.

0x02 Vulnerability and Core:

The contract did not check the incoming parameter “router”, allowing attackers to perform subsequent operations by maliciously constructing the “router”.

The incoming router parameters are stored in the contract in the processRouteInternal function, and the subsequent swap execution will call

The function in swapUniV3 performs the exchange operation, and since the attacker has already stored the malicious router in the contract, the function moves on to execute the pool contract constructed by the attacker

In the callback function to determine the function caller is required to pool, as the attacker has previously modified the pool address, here can successfully bypass the address check, so the attacker can arbitrarily and maliciously construct the token transfer function, the authorized user’s funds will be transferred out.

Summary and Recommendations

This attack is due to the fact that the incoming parameters are not checked in the contract and the attacker is able to make the contract go to execute the malicious contract created by the attacker and transfer out the authorized user’s funds by maliciously constructing parameters.

Security advice

It is recommended that users who have contractual authorization for this program cancel it as soon as possible to prevent theft of funds

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.