PANews reported on April 9 that according to the intelligence analysis of the SlowMist Security Team, SUSHI RouteProcessor2 was attacked. The SlowMist Security Team shared the following in the form of a newsletter:
1. The root cause is that ProcessRoute does not perform any checks on the route parameters passed in by the user, causing the attacker to exploit this issue to construct a malicious route parameter so that the Pool read by the contract is created by the attacker.
2. Since the legality of Pool is not checked in the contract, the lastCalledPool variable is directly set to Pool and the swap function of Pool is called.
3. The malicious Pool calls back the uniswapV3SwapCallback function of RouteProcessor2 in its swap function. Since the lastCalledPool variable has been set to Pool, the check for msg.sender in uniswapV3SwapCallback is bypassed.
4. The attacker exploited this issue to construct the parameters of token transfer when the malicious Pool called back the uniswapV3SwapCallback function to steal tokens from other users who had authorized RouteProcessor2.
Fortunately, some users’ funds have been stolen by white hats and are expected to be recovered. The SlowMist security team recommends that users of RouteProcessor2 revoke the authorization for 0x044b75f554b886a065b9567891e45c79542d7357 in a timely manner.
It was reported earlier today that the SushiSwap project was suspected to have been attacked, resulting in a loss of approximately US$3.34 million.
