Project name: Sushiswap
Project type: DEX
Date of exploit: Apr 9th, 2023
Asset loss: $3.3M
Vulnerability: Logic Issue
Date of audit report publishing: Aug 24th, 2021
Conclusion: Out of Audit Scope
Details of the Exploit
Background
Sushiswap is a Decentralised Finance (DeFi) app with features such as swap, cross-chain swap, streaming, vesting, and permissionless market-making for liquidity. RouteProcessor2 is a newly introduced contract for performing swaps that go through multiple pairs and AMMS.
Nature of the Vulnerability
The breach on SushiSwap focused on the RouteProcessor2 contract of the project, the contract had a flaw wherein it failed to adequately verify the route parameter that users supplied to the processRoute function. This oversight enabled an attacker to redirect the route towards a pool controlled by the attacker, thus exploiting the system.
CertiK Audit Overview
Conclusion
On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.
CertiK has audited two token-related contracts for Sushiswap. However, the newly deployed contract RouteProcessor2 is not part of the audit assignment.