SushiSwap has retrieved $186,000 worth of ETH from a hacker who drained over $3.3 million worth of ETH on April 9. The exchange has since then laid out plans of how affected users can claim lost funds.
SushiSwap to return funds to users
On April 12 SushiSwap gave an update on the recent exploit that cost the exchange more than $3.3 million worth of ethereum and its plan to refund the affected users. The exchange said the funds were swept by blackhat hackers and some saved by whitehat security teams.
The funds recovered in the whitehat contract are safe, and according to the exchange, users will be able to claim them soon.
Users who can not trace their funds back to the whitehat contract were advised to submit their blockchain data and transaction IDs through an email to [email protected] or open a ticket in the platform’s Discord channel.
The funds swept by blackhat hackers will take longer to be recovered since security agents have to manually verify and validate their legitimacy against on-chain data before paying them out.
SushiSwap announced that the whitehat recovered funds would be refunded through a Merkle Claim contract and will make a website available to the users to delete any residual RouteProcessor2 approvals. These refund plans are almost complete, and the affected users will receive their funds in their wallets soon.
The Sushi team is also working to establish an acclaimed process for the unrecoverable blackhat funds, which the affected users can benefit from. The platform said it will manage claims on a ’case-by-case basis.’
SushiSwap said its goal is to return all the stolen funds to their legitimate holders, and the management is grateful for their patience as they deal with the crisis.
Hacker exploites bug in SushiSwap contract
SushiSwap RouterProcessor2 contract was on April 9 compromised by a hacker who drained the exchange of over $3.3 million worth of ETH. The contract had an approval-related bug which the hacker took advantage of. The attack was flagged by Peckshield, a blockchain security company.
Several tweets insinuated that the compromised funds came from a famous pseudonymous trader in Crypto Twitter circles, @0xsifu. However, a pseudonymous DefiLlama developer, @0xngmi, said the exploit only affected DEX users who approved SushiSwap contracts in the past four days.
Jared Grey, the SushiSwap platform’s head developer, advised all users to annul all contract permissions on SushiSwap as a security measure.
Following the new updates, users who have not interacted with Sushi in the past ten days have nothing to worry about but should take an extra step to check their approvals. In addition, SushiSwap assured users that their web app is now safe to use.