Where’s the Money? Sushi Publishes Post-Mortem on Exploit

Sushi Commits to Refunding Stolen Funds

The April 9 attack on SushiSwap was a complex affair sparked by a first attacker, then drawing in white hat and black hat hackers. To date, nearly half of the initially stolen funds have been recovered, according to a post-mortem report from Sushi, which pledged to reimburse all funds to affected users.

According to the report, Sushi contributors soft-launched a new router called RouteProcessor2 to 14 blockchains as part of the Decentralized Exchange’s V3 upgrades. The contract contained a critical vulnerability but could not be upgraded or paused, and it was not possible to revoke access to users.

The post-mortem report details how the vulnerability was identified, how a good-intentioned white hat hacker catalyzed a massive attack by MEV bots, and the resulting fallout and recovery efforts.

The attack mainly affected a single wallet held by user @0xSifu. Out of the initial 1,800 $ETH stolen, a total of 885 $ETH has been recovered, according to the report. Sushi warned that any hacker still holding stolen funds may be reported to law enforcement.

The report contains details on how affected users can claim funds that have been secured by white hat hackers or that were lost to black hat attackers.

“Sushi is committed to making all users whole, and the very last remaining part of the stolen funds lost to black hat hackers will be covered and refunded by Sushi,” according to the report.