Decentralized exchange SushiSwap has released a plan to refund all affected users following a hack over the weekend. The exchange explained that user funds were “swept by whitehat security teams” or “lost to blackhat hackers.” If the funds are in the whitehat contract, it means that the security teams recovered the funds, and users will be able to claim them. SushiSwap will build a Merkle Claim contract to return the recovered funds to user wallets.
However, for funds stuck on the Blackhat contract, users will have to wait longer for a refund. This is because the decentralized exchange has to manually verify the legitimacy of each claim through on-chain data analysis on a claim-by-claim basis and pay it out accordingly. The exchange urged users to check their approvals as a security measure even if they had not interacted with the protocol in the past ten days.
SushiSwap was exploited on April 9th through an approve-related bug on its RouterProcessor2 contract. Users who approved the vulnerable contract had their assets stolen, leading to a total loss of around $3.3 million. However, one of the attackers returned 90 ETH stolen in the attack, while security firm BlockSec recovered another 100 ETH.
The exchange’s team said it was working with cybersecurity firms to investigate the incident and ensure it did not happen again. The group added that it would deploy new measures to prevent similar incidents from happening in the future. SushiSwap has also suspended its operations temporarily to address the issues related to the hack and restore user confidence.
The incident highlights the need for decentralized exchanges to ensure their systems are proactively secure. With the increasing use of DeFi protocols and the rising number of attacks, these platforms must deploy robust security measures to protect user funds. While SushiSwap’s response to the hack is commendable, the incident is a reminder that even the most secure systems can be vulnerable to attacks.