SushiSwap RouteProcessor Exploit
Summary
On April 9, 2023, SushiSwap's RouteProcessor2 contract — deployed just one day earlier across 14 blockchain networks — was exploited due to a failure to validate user-supplied pool addresses, allowing an attacker to redirect token transfers from wallets that had approved the contract. Approximately $3.3 million (roughly 1,800 WETH) was drained, with a single high-profile victim (@0xsifu) accounting for the majority of losses. Whitehat security teams front-ran further exploitation and recovered over $750,000, while SushiSwap committed to making all affected users whole through a two-tier compensation process.
Connected Entities
1 entities · 10 linked investigationsTimeline(10 events)
2021-08-01
Paradigm researchers discover critical vulnerability in SushiSwap MISO dutch auction contract, potentially exposing ~$350M. Patched in under five hours with no funds lost.
CoinMarketCap Academy2021-09-17
SushiSwap MISO launchpad suffers $3M supply chain attack. Contractor AristoK3 injects malicious frontend code redirecting 864.8 ETH from JayPegs Auto Mart auction. Funds later returned.
Decrypt2022-11-08
Logic bug in SushiSwap KashiPairMediumRiskV1 contract exploited, draining assets from affected lending pools.
BlockSec Medium2023-04-08
SushiSwap deploys RouteProcessor2 contract across 14 blockchain networks as part of V3 upgrade rollout. Contract is non-upgradeable and non-pausable.
SushiSwap RouteProcessor2 Post Mortem2023-04-08
HYDN security team's real-time monitoring flags vulnerability in RouteProcessor2. Team creates proof-of-concept and contacts SushiSwap. Joint war room established. SushiSwap UI rolled back to prevent further approvals.
HYDN Security Blog2023-04-09
Independent whitehat @trust__90 attempts rescue of 100 ETH via public mempool, inadvertently broadcasting the exploit to MEV bots. Cascade of copycat transactions drains approximately 1,800 WETH (~$3.3M) primarily from @0xsifu's wallet.
BlockSec Blog2023-04-09
Jared Grey publicly confirms exploit, tweets: 'Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP.' Directs users to revoke.cash and sushi.com. HYDN authorized to conduct cross-chain whitehat rescue.
The Block2023-04-09
HYDN completes whitehat rescue, draining vulnerable funds to labeled wallet 0x74ebb8e8d0b0cc65f06040eb0f77b5da0e33ffee and deploying cross-chain watcher contract. Over $750,000 in user assets secured across multiple networks.
HYDN Security Blog2023-04-10
SushiSwap releases RouteProcessor2 post-mortem and simultaneously releases response to SEC subpoena. Protocol announces two-tier compensation plan for affected users.
Blockhead2023-04-25
SushiSwap launches RouteProcessor2 claim portal (sushi.com/claims/rp2) for Group 1 victims (rescued funds), enabling 1:1 token reclamation after revoking the vulnerable contract.
SushiSwap on XDecision Log
- hash: 7YkvRdJnofyhboZDJDNXXiuBPjv4Ld1Ks1mATKFV21Px
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/1/2026, 5:49:34 PM
last updated: 6/1/2026, 5:49:39 PM
avoid.net — verified advice for a post-truth world