Post-exploit response score

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-081 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Assessed on most recent (most material) incident: RouteProcessor2 Apr 2023. Compensation: Group 1 = 1:1 token recovery (rescued funds); Group 2 = case-by-case review (non-recovered funds, partial). Transparency: post-mortem published Apr 18 (10 days), root cause explicitly named, remediation steps listed, HYDN rescue documented. Re-audit committed to. ~$750K+ white-hatted by HYDN; $200K bounty paid to HYDN. Composite ~3.75/5 — above pure-red threshold but below clean-green (compensation not universal for Group 2 victims). Kashi 2022 response: immediate protective action confirmed; compensation procedures announced; no Sushi-authored post-mortem identified — thinner documentation.

Sources #

URL
SushiSwap Pays $200K Bounty to Recover $600K Stolen by Hackers (Blockworks)Blockworks — SushiSwap pays $200K bounty to HYDNretrieved 2026-05-17
URL
RouteProcessor2 Post Mortem (sushi.com)SushiSwap RouteProcessor2 post-mortemretrieved 2026-05-17
URL
Kashi KashiPairMediumRiskV1 logic bug — SushiSwap responseBlockSec Medium — Kashi protective action confirmedretrieved 2026-05-17

Methodology #

Curator-score (1–5) the most recent incident response on: compensation completeness, transparency of disclosure, root-cause analysis depth, and operational recovery speed.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-081 score yellow collected_at 2026-05-16 19:50:37