SushiSwap: Malicious Callback / Arbitrary Approval Drain

Summary #

SushiSwap suffered a DEX / AMM on 2023-04-08, resulting in a loss of approximately $3M.

What happened #

SushiSwap's 4-day-old RouteProcessor2 contract allowed anyone with a fake Uniswap V3 pool to drain tokens from any user who had approved it — costing $3.3M+ across 14 chains, and briefly rekt-ing DeFi villain 0xSifu for 1,800 ETH.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — RouteProcessor2 was 4 days old at time of exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — RouteProcessor2 was 4 days old at time of exploit]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — originally forked from Uniswap V2]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — RouteProcessor2 was 4 days old at time of exploit]