The Sushiswap project was attacked on April 9, 2023, and suffered a loss of approximately 1800 ETH, about 3.34 million US dollars.
0x02 Vulnerability and Core:
The contract did not check the incoming parameter “router”, allowing attackers to perform subsequent operations by maliciously constructing the “router”.
The incoming router parameters are stored in the contract in the processRouteInternal function, and the subsequent swap execution will call
The function in swapUniV3 performs the exchange operation, and since the attacker has already stored the malicious router in the contract, the function moves on to execute the pool contract constructed by the attacker
In the callback function to determine the function caller is required to pool, as the attacker has previously modified the pool address, here can successfully bypass the address check, so the attacker can arbitrarily and maliciously construct the token transfer function, the authorized user’s funds will be transferred out.
Summary and Recommendations
This attack is due to the fact that the incoming parameters are not checked in the contract and the attacker is able to make the contract go to execute the malicious contract created by the attacker and transfer out the authorized user’s funds by maliciously constructing parameters.
It is recommended that users who have contractual authorization for this program cancel it as soon as possible to prevent theft of funds