Back to all stories
Incident Analysis
Post Mortem: Sushiswap
Post Mortem: Sushiswap

Project name: Sushiswap

Project type: DEX

Date of exploit: Apr 9th, 2023

Asset loss: $3.3M

Vulnerability: Logic Issue

Date of audit report publishing: Aug 24th, 2021

Conclusion: Out of Audit Scope

Details of the Exploit


Sushiswap is a Decentralised Finance (DeFi) app with features such as swap, cross-chain swap, streaming, vesting, and permissionless market-making for liquidity. RouteProcessor2 is a newly introduced contract for performing swaps that go through multiple pairs and AMMS.

Nature of the Vulnerability

The breach on SushiSwap focused on the RouteProcessor2 contract of the project, the contract had a flaw wherein it failed to adequately verify the route parameter that users supplied to the processRoute function. This oversight enabled an attacker to redirect the route towards a pool controlled by the attacker, thus exploiting the system.

CertiK Audit Overview

Screenshot 2024-01-11 at 8.40.12 PM


On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.

CertiK has audited two token-related contracts for Sushiswap. However, the newly deployed contract RouteProcessor2 is not part of the audit assignment.