The SushiSwap hack, a heist which resulted in a staggering $3.3 million loss, is a stark reminder that vulnerabilities still exist in the world of cryptocurrencies. We offer a deep dive into the mechanics of the attack and how FailSafe, our anti-theft tool for cryptocurrencies, would have stopped hackers from stealing millions in digital assets.
In simple terms, what was the vulnerability?
- On SushiSwap, users pick a pairAddress for trading tokens.
- The system then checks if the correct pairAddress is used during the trade.
- However, this system has a security flaw: attackers can create a fake smart contract pretending to be the pairAddress and trick the system. By doing this, attackers can steal tokens from users who have approved the trading process to happen.
The majority of stolen funds came from user sifuvision.eth, who had given approval to “SushiSwap: Route Processor 2” smart contract to access funds in the wallet. The approval allowed SushiSwap to access an unlimited amount of their funds, detailed here.
The attacker exploited the vulnerability in the SushiSwap smart contract and stole the funds from sifuvision.eth’s wallet, detailed here.
The exploited vulnerability: the setting detailed in row 315 of RouteProcessor2.sol smart contract allowed the attacker to gain access.
How FailSafe Could Have Saved SushiSwap:
Real-time monitoring: FailSafe’s real-time monitoring system keeps a close watch on all pre-chain activity – when a malicious transaction surfaces, the FailSafe interceptor service is activated.
Swift intervention: Upon detecting a suspicious transaction, FailSafe would have swiftly intercepted them, halting the transfer of funds to the hackers’ addresses. This prompt intervention would have prevented the theft from taking place, saving users’ funds and preserving the platform’s reputation.
Secure movement of digital assets: Once the fraudulent transactions were intercepted, FailSafe would have safely transferred the targeted digital assets to a safe wallet. This would have ensured the funds remained out of reach of the hackers and kept in the possession of their rightful owners.