Verify a decision

{"actor":"system:backfill","investigation_id":"276bd4a1-f6d6-42f2-834c-b153f3b62ae0","kind":"publish","page_slug":"sushiswap-routeprocessor","published_at":"2026-06-01T17:49:39.690Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SushiSwap RouteProcessor Exploit","sections":[{"content":"The RouteProcessor2 contract was deployed on April 8, 2023 as part of SushiSwap's V3 upgrade rollout. The contract's `processRoute()` function failed to verify that the `pool` parameter passed in the `bytes route` argument referred to a legitimate Uniswap v3 pool. An attacker could supply an arbitrary contract address as the pool, causing RouteProcessor2 to call `IUniswapV3Pool(pool).swap(...)` on the attacker-controlled contract. That contract then re-entered RouteProcessor2 via `uniswapV3SwapCallback`, supplying malicious calldata that redirected ERC-20 token transfers from any wallet that had previously approved the RouteProcessor2 contract. The flaw is classified as an unverified external parameter, closely related to approval-based theft. The contract was non-upgradeable and could not be paused, making real-time mitigation impossible once the exploit was discovered.","heading":"Vulnerability Mechanics","severity":"critical","sources":[{"credibility":1,"name":"RouteProcessor2 Post Mortem — SushiSwap Official Blog","type":"official","url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"},{"credibility":2,"name":"SushiSwap Hack Analysis — Hacken","type":"news","url":"https://hacken.io/discover/sushi-hack-explained/"},{"credibility":2,"name":"BlockSec: SushiSwap Incident — Clumsy Rescue Leads to Copycat Attacks","type":"news","url":"https://blocksec.com/blog/8-sushi-swap-incident-a-clumsy-rescue-attempt-leads-to-a-series-of-copycat-attacks"},{"credibility":2,"name":"SushiSwap Hack Analysis — BlockApex","type":"news","url":"https://blockapex.io/sushiswap-hack-ana/"}]},{"content":"The exploit drained approximately 1,800 WETH (valued at roughly $3.3 million at the time) from wallets that had approved the RouteProcessor2 contract. The primary victim was the pseudonymous trader known as @0xsifu, who lost the bulk of the funds. The vulnerability affected any user who had interacted with RouteProcessor2 across all 14 supported networks: Arbitrum, Arbitrum Nova, Avalanche, Boba, BSC, Ethereum, Fantom, Fuse, Gnosis, Moonbeam, Moonriver, Optimism, Polygon, and Polygon ZkEVM. The exploit window was narrow — the contract had been deployed less than 24 hours before exploitation began — but the scale of approvals collected during that window was sufficient to cause significant losses.","heading":"Losses and Affected Users","severity":"critical","sources":[{"credibility":1,"name":"RouteProcessor2 Post Mortem — SushiSwap Official Blog","type":"official","url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"},{"credibility":2,"name":"SushiSwap Smart Contract Bug Leads to $3.3M Hack — Blockworks","type":"news","url":"https://blockworks.co/news/sushiswap-3-million-hack"},{"credibility":1,"name":"SushiSwap Approval Bug Leads to $3.3M Exploit — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/sushiswap-approval-bug-leads-to-3-3-million-exploit"},{"credibility":2,"name":"SushiSwap Drained of 1800 WETH — Distributed Networks Institute","type":"news","url":"https://dn.institute/research/cyberattacks/incidents/2023-04-08-sushiswap/"}]},{"content":"On the evening of April 8, HYDN's real-time monitoring systems detected the RouteProcessor2 vulnerability. HYDN's team created a proof-of-concept, contacted SushiSwap leadership, and established a joint war room. Sushi contributors authorized HYDN to conduct a whitehat rescue across all 14 chains. HYDN drained vulnerable user funds to a labeled whitehat wallet (0x74ebb8e8d0b0cc65f06040eb0f77b5da0e33ffee) and deployed a cross-chain watcher contract to front-run further exploitation. In total, HYDN rescued over $750,000 in user assets and was awarded a $200,000 bounty. However, a separate whitehat researcher (@trust__90) also attempted an independent rescue, but used the public mempool rather than a private RPC endpoint, and attempted to rescue only 100 ETH rather than all at-risk funds. This public broadcast was observed by MEV bots, which replicated the attack pattern and drained the majority of the $3.3 million loss within minutes. The HYDN post-mortem notes that uncoordinated, publicly visible rescue attempts can inadvertently amplify attacker opportunity.","heading":"Whitehat Rescue and MEV Complications","severity":"high","sources":[{"credibility":2,"name":"How HYDN Rescued $600k Worth of User Funds For SushiSwap — HYDN Security","type":"official","url":"https://www.hydnsec.com/blog-posts/how-hydn-rescued-600k-worth-of-user-funds-for-sushiswap"},{"credibility":2,"name":"BlockSec: SushiSwap Incident — Clumsy Rescue Leads to Copycat Attacks","type":"news","url":"https://blocksec.com/blog/8-sushi-swap-incident-a-clumsy-rescue-attempt-leads-to-a-series-of-copycat-attacks"},{"credibility":2,"name":"Account Drained of $3.3M: White Hat Rescues SushiSwap — Boxmining","type":"news","url":"https://boxmining.com/account-drained-of-3-3m-white-hat-rescues-sushiswap-from-crypto-exploit-disaster/"}]},{"content":"Jared Grey, SushiSwap's head chef (lead developer), publicly confirmed the exploit and urgently instructed users to revoke all RouteProcessor2 approvals across all chains, stating: 'Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue.' Grey directed users to revoke.cash and sushi.com as tools to remove approvals. The SushiSwap UI was rolled back to prevent further approvals from being generated. SushiSwap's Immunefi bug bounty report for the vulnerability was initially auto-closed before being reopened, raising questions about the responsiveness of the triage process.","heading":"Team Response and User Guidance","severity":"high","sources":[{"credibility":1,"name":"SushiSwap Hacked, Head Chef Says 'Revoke All Chains' — The Block","type":"news","url":"https://www.theblock.co/post/225473/sushiswap-hack"},{"credibility":2,"name":"SushiSwap Hack: Head Chef Recommends Revoking RouterProcessor2 — CoinMarketCap","type":"news","url":"https://coinmarketcap.com/academy/article/83d32e02-fa70-48fd-a8d4-41254aa0a6fa"},{"credibility":1,"name":"RouteProcessor2 Post Mortem — SushiSwap Official Blog","type":"official","url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"}]},{"content":"SushiSwap established a two-tier compensation process. Users whose funds were rescued by whitehats (Group 1) could reclaim tokens on a 1:1 basis through a Merkle-tree claim portal at sushi.com/claims/rp2, provided they had first revoked the RouteProcessor2 approval. Users whose funds were stolen by malicious actors (Group 2) were asked to submit claims via a Google Form, with each case reviewed individually and verified against on-chain data. Sushi publicly committed to making all affected users whole, including covering the remaining stolen funds not recovered from the blackhat exploiters. Of the 885 ETH accounted for by the HYDN rescue, 685 ETH was deposited to Sushi operations, 190 ETH returned to a victim, and 10 ETH went to the rescue contract. Approximately 795 ETH was redirected as block builder rewards into the Lido vault due to MEV bot activity, and 94.9 ETH remained in an unauthorized wallet at the time of the post-mortem.","heading":"Recovery and Compensation","severity":"medium","sources":[{"credibility":1,"name":"RouteProcessor2 Post Mortem — SushiSwap Official Blog","type":"official","url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"},{"credibility":2,"name":"SushiSwap to Compensate Exploit Victims — AMBCrypto","type":"news","url":"https://ambcrypto.com/sushiswap-to-compensate-exploit-victims-can-this-bring-back-users/"},{"credibility":2,"name":"SushiSwap to Make Exploit Victims Whole — CryptoBriefing","type":"news","url":"https://cryptobriefing.com/sushiswap-to-make-exploit-victims-whole/"},{"credibility":2,"name":"Sushi RouteProcessor2 Claim Portal Launch — SushiSwap on X","type":"official","url":"https://x.com/SushiSwap/status/1650873001494323202"}]},{"content":"The RouteProcessor2 exploit was not SushiSwap's first significant security incident. In August 2021, Paradigm researchers discovered a critical vulnerability in SushiSwap's MISO dutch auction contract that could have resulted in approximately $350 million in losses; the bug was patched in under five hours with no funds lost. In September 2021, SushiSwap's MISO launchpad suffered a supply chain attack when an anonymous contractor (GitHub handle: AristoK3) injected malicious code into the platform's frontend and redirected auction proceeds, stealing approximately $3 million in ETH from the JayPegs Auto Mart auction; the funds were later returned by the attacker. In November 2022, a logic bug in SushiSwap's KashiPairMediumRiskV1 contract led to asset drainage from affected pools. The recurrence of serious security incidents across multiple product lines has drawn scrutiny to SushiSwap's pre-deployment audit and review processes.","heading":"Security History and Prior Incidents","severity":"high","sources":[{"credibility":2,"name":"How White Hats Saved SushiSwap From Potential $350 Million Exploit — CoinMarketCap","type":"news","url":"https://coinmarketcap.com/academy/article/how-white-hats-saved-sushiswap-from-potential-350-million-exploit"},{"credibility":1,"name":"SushiSwap's Token Launchpad Hacked for Over $3M in Ethereum — Decrypt","type":"news","url":"https://decrypt.co/81120/sushiswaps-token-launchpad-hacked-over-3m-ethereum"},{"credibility":2,"name":"KashiPairMediumRiskV1 Logic Bug — BlockSec Medium","type":"news","url":"https://blocksecteam.medium.com/beyond-the-market-risk-a-logic-bug-identified-in-sushiswaps-kashipairmediumriskv1-contract-80ead49d8d6d"},{"credibility":2,"name":"Exec Issues FBI Warning as SushiSwap MISO Suffers $3M Exploit — AMBCrypto","type":"news","url":"https://ambcrypto.com/exec-issues-fbi-warning-as-sushiswaps-miso-suffers-3m-exploit/"}]},{"content":"In the RouteProcessor2 post-mortem, SushiSwap outlined several lessons and procedural changes adopted following the incident. The protocol committed to implementing pausability in high-activity smart contracts, shifting from unlimited token approvals to per-swap approval patterns, allowing adequate audit timelines before deployments, conducting gradual rollouts rather than mass simultaneous multi-chain deployments, and ensuring all new contracts are within scope of bug bounty programs before any UI launch. Additionally, the RouteProcessor2 post-mortem acknowledged that the contract's non-upgradeable, non-pausable design significantly constrained incident response once the vulnerability was discovered.","heading":"Post-Exploit Security Improvements","severity":"medium","sources":[{"credibility":1,"name":"RouteProcessor2 Post Mortem — SushiSwap Official Blog","type":"official","url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"}]},{"content":"At the time of the RouteProcessor2 exploit, SushiSwap was also dealing with an unrelated regulatory matter. Jared Grey had previously disclosed that SushiSwap received a subpoena from the U.S. Securities and Exchange Commission. Grey publicly released SushiSwap's response to the subpoena around the same time as the exploit, on or around April 10, 2023. The convergence of a major exploit and active SEC scrutiny drew significant media attention to the protocol's governance and compliance posture.","heading":"Concurrent SEC Subpoena","severity":"medium","sources":[{"credibility":2,"name":"SushiSwap Loses $3.3M in Exploit, Releases SEC Response — Blockhead","type":"news","url":"https://www.blockhead.co/2023/04/10/sushiswap-loses-3-3m-in-exploit-releases-sec-response/"},{"credibility":2,"name":"SushiSwap Addresses SEC Subpoena While Exploit Leads to $3.3M in Losses — DailyCoin","type":"news","url":"https://dailycoin.com/sushiswap-addresses-sec-subpoena-while-exploit-leads-to-3-3m-in-losses/"}]}],"sources_used":[{"name":"RouteProcessor2 Post Mortem — SushiSwap Official Blog","type":"official","url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"},{"name":"SushiSwap Hacked, Head Chef Says 'Revoke All Chains' — The Block","type":"news_article","url":"https://www.theblock.co/post/225473/sushiswap-hack"},{"name":"SushiSwap Approval Bug Leads to $3.3M Exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/sushiswap-approval-bug-leads-to-3-3-million-exploit"},{"name":"SushiSwap Smart Contract Bug Leads to $3.3M Hack — Blockworks","type":"news_article","url":"https://blockworks.co/news/sushiswap-3-million-hack"},{"name":"How HYDN Rescued $600k Worth of User Funds For SushiSwap — HYDN Security","type":"official","url":"https://www.hydnsec.com/blog-posts/how-hydn-rescued-600k-worth-of-user-funds-for-sushiswap"},{"name":"BlockSec: SushiSwap Incident — Clumsy Rescue Leads to Copycat Attacks","type":"news_article","url":"https://blocksec.com/blog/8-sushi-swap-incident-a-clumsy-rescue-attempt-leads-to-a-series-of-copycat-attacks"},{"name":"SushiSwap DEX Hack Explained — Hacken","type":"news_article","url":"https://hacken.io/discover/sushi-hack-explained/"},{"name":"SushiSwap Hack Analysis — BlockApex","type":"news_article","url":"https://blockapex.io/sushiswap-hack-ana/"},{"name":"SushiSwap to Compensate Exploit Victims — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/sushiswap-to-compensate-exploit-victims-can-this-bring-back-users/"},{"name":"SushiSwap to Make Exploit Victims Whole — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/sushiswap-to-make-exploit-victims-whole/"},{"name":"Sushi RouteProcessor2 Claim Portal — SushiSwap on X","type":"official","url":"https://x.com/SushiSwap/status/1650873001494323202"},{"name":"SushiSwap Loses $3.3M in Exploit, Releases SEC Response — Blockhead","type":"news_article","url":"https://www.blockhead.co/2023/04/10/sushiswap-loses-3-3m-in-exploit-releases-sec-response/"},{"name":"SushiSwap's Token Launchpad Hacked for Over $3M in Ethereum — Decrypt","type":"news_article","url":"https://decrypt.co/81120/sushiswaps-token-launchpad-hacked-over-3m-ethereum"},{"name":"KashiPairMediumRiskV1 Logic Bug — BlockSec Medium","type":"news_article","url":"https://blocksecteam.medium.com/beyond-the-market-risk-a-logic-bug-identified-in-sushiswaps-kashipairmediumriskv1-contract-80ead49d8d6d"},{"name":"How White Hats Saved SushiSwap From $350M Exploit — CoinMarketCap Academy","type":"news_article","url":"https://coinmarketcap.com/academy/article/how-white-hats-saved-sushiswap-from-potential-350-million-exploit"},{"name":"SushiSwap Addresses SEC Subpoena While Exploit Leads to $3.3M — DailyCoin","type":"news_article","url":"https://dailycoin.com/sushiswap-addresses-sec-subpoena-while-exploit-leads-to-3-3m-in-losses/"},{"name":"GitHub — Anish-Agnihotri SushiSwap Exploit Repro","type":"other","url":"https://github.com/Anish-Agnihotri/sushiswap-exploit"},{"name":"Sushiswap RouteProcessor2 Exploit Analysis — Steve Ng Medium","type":"news_article","url":"https://steveng.medium.com/sushiswap-routeprocessor2-exploit-aa204469d404"}],"summary":"On April 9, 2023, SushiSwap's RouteProcessor2 contract — deployed just one day earlier across 14 blockchain networks — was exploited due to a failure to validate user-supplied pool addresses, allowing an attacker to redirect token transfers from wallets that had approved the contract. Approximately $3.3 million (roughly 1,800 WETH) was drained, with a single high-profile victim (@0xsifu) accounting for the majority of losses. Whitehat security teams front-ran further exploitation and recovered over $750,000, while SushiSwap committed to making all affected users whole through a two-tier compensation process.","timeline":[{"date":"2021-08-01","event":"Paradigm researchers discover critical vulnerability in SushiSwap MISO dutch auction contract, potentially exposing ~$350M. Patched in under five hours with no funds lost.","source":"CoinMarketCap Academy","source_url":"https://coinmarketcap.com/academy/article/how-white-hats-saved-sushiswap-from-potential-350-million-exploit"},{"date":"2021-09-17","event":"SushiSwap MISO launchpad suffers $3M supply chain attack. Contractor AristoK3 injects malicious frontend code redirecting 864.8 ETH from JayPegs Auto Mart auction. Funds later returned.","source":"Decrypt","source_url":"https://decrypt.co/81120/sushiswaps-token-launchpad-hacked-over-3m-ethereum"},{"date":"2022-11-08","event":"Logic bug in SushiSwap KashiPairMediumRiskV1 contract exploited, draining assets from affected lending pools.","source":"BlockSec Medium","source_url":"https://blocksecteam.medium.com/beyond-the-market-risk-a-logic-bug-identified-in-sushiswaps-kashipairmediumriskv1-contract-80ead49d8d6d"},{"date":"2023-04-08","event":"SushiSwap deploys RouteProcessor2 contract across 14 blockchain networks as part of V3 upgrade rollout. Contract is non-upgradeable and non-pausable.","source":"SushiSwap RouteProcessor2 Post Mortem","source_url":"https://www.sushi.com/blog/routeprocessor2-post-mortem"},{"date":"2023-04-08","event":"HYDN security team's real-time monitoring flags vulnerability in RouteProcessor2. Team creates proof-of-concept and contacts SushiSwap. Joint war room established. SushiSwap UI rolled back to prevent further approvals.","source":"HYDN Security Blog","source_url":"https://www.hydnsec.com/blog-posts/how-hydn-rescued-600k-worth-of-user-funds-for-sushiswap"},{"date":"2023-04-09","event":"Independent whitehat @trust__90 attempts rescue of 100 ETH via public mempool, inadvertently broadcasting the exploit to MEV bots. Cascade of copycat transactions drains approximately 1,800 WETH (~$3.3M) primarily from @0xsifu's wallet.","source":"BlockSec Blog","source_url":"https://blocksec.com/blog/8-sushi-swap-incident-a-clumsy-rescue-attempt-leads-to-a-series-of-copycat-attacks"},{"date":"2023-04-09","event":"Jared Grey publicly confirms exploit, tweets: 'Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP.' Directs users to revoke.cash and sushi.com. HYDN authorized to conduct cross-chain whitehat rescue.","source":"The Block","source_url":"https://www.theblock.co/post/225473/sushiswap-hack"},{"date":"2023-04-09","event":"HYDN completes whitehat rescue, draining vulnerable funds to labeled wallet 0x74ebb8e8d0b0cc65f06040eb0f77b5da0e33ffee and deploying cross-chain watcher contract. Over $750,000 in user assets secured across multiple networks.","source":"HYDN Security Blog","source_url":"https://www.hydnsec.com/blog-posts/how-hydn-rescued-600k-worth-of-user-funds-for-sushiswap"},{"date":"2023-04-10","event":"SushiSwap releases RouteProcessor2 post-mortem and simultaneously releases response to SEC subpoena. Protocol announces two-tier compensation plan for affected users.","source":"Blockhead","source_url":"https://www.blockhead.co/2023/04/10/sushiswap-loses-3-3m-in-exploit-releases-sec-response/"},{"date":"2023-04-25","event":"SushiSwap launches RouteProcessor2 claim portal (sushi.com/claims/rp2) for Group 1 victims (rescued funds), enabling 1:1 token reclamation after revoking the vulnerable contract.","source":"SushiSwap on X","source_url":"https://x.com/SushiSwap/status/1650873001494323202"}]},"v":1}