Back to Blog

#8: SushiSwap Incident: A Clumsy Rescue Attempt Leads to a Series of Copycat Attacks

Code Auditing
February 18, 2024
5 min read

On April 9, 2023, SushiSwap became the target of an exploit due to an Unverified External Parameter. The total loss is about $3.3 million.

As a leading protocol on Ethereum with a substantial user base, such top protocols are still susceptible to introducing serious new issues during contract upgrades. It's a reminder for the DeFi community that security should always be the top priority. Moreover, this security incident was triggered by a whitehat security researcher's attempt at a rescue, generating considerable debate within the community, and we provide a succinct introduction to this incident, highlighting it as one of the top ten security incidents of 2023.

Background

SushiSwap

SushiSwap, a renowned DEX, launched a vampire attack against Uniswap, achieving tremendous success. At its peak, its TVL reached $8 billion, and it still maintains around $400 million.

Approval

In short: permission for a contract to access and transfer out a specific token from your wallet.

For convenience, many contracts default to ask for unlimited approval. Many users, worried about security risks, only deposit small amounts into various protocols. However, these users grant unlimited funds approval to the protocols, If a protocol is compromised, all approved tokens in the account could be lost.

The Vulnerability

Unverified External Parameter

The RouteProcessor2 contract's processRoute() allows users complete control over the call flow (parameter route) . And in uniswapV3SwapCallback(), the safeTransferFrom()'s parameter from is decoded from the user-provided route. As a result, users who approved the RouteProcessor2 contract lost their assets.

The Attack Process

This incident involved multiple attack transactions, but we'll use the first attack transaction as an example. Transaction: 0x43ff7e01423044cfb501b4fe9ef1386725c0ddc117dadd6e6620cb68bdeaf4f9

  1. The attacker called the vulnerable RouteProcessor2 contract's processRoute() with a carefully constructed long argument route.
  2. processRouteInternal() creates an InputStream based on the route provided by the user.
  3. The transaction followed the attacker's route until reaching swapUniV3(). Note that the pool is decoded from the stream, meaning the attacker controlled which pool to swap() in, setting it as the lastCalledPool.
  4. This called the malicious contract deployed by the attacker, who then simply pass malicious calldata to call back to RouteProcessor2's uniswapV3SwapCallback().
  5. uniswapV3SwapCallback() requires the msg.sender check, but since the lastCalledPool had already been set to the malicious contract, the hacker bypassed the check. Importantly, the safeTransferFrom()'s parameter from was decoded from the attacker-constructed calldata.
  6. Victim's assets are transferred to the malicious contract deployed by the attacker.

Controversial Whitehat Rescue

It’s worth mentioning that a whitehat by the username @trust__90 identified this issue and attempted to rescue funds, but this rescue attempt caused a disaster.

  • Using the mempool to broadcast transactions instead of a private RPC.
  • Attempting to rescue only 100 Ether instead of all at risk.

This opened the door for MEV Bots and other attackers to execute multiple copycat transactions, effectively draining most of the funds. After these events, @trust__90 faced backlash and sought to defend his actions.

BlockSec Rescue

In this attack, we also rescued 100 Ether and returned the funds to the victim, 0xsifu.

To date, we have successfully thwarted over 20 real-world hacks and rescued more than $14,000,000 worth of assets.

Security Recommendations

Upgrades Should Always Be Audited

It's a reminder for the DeFi community that security should always be the top priority. Audits are not a guarantee of security, but the absence of an audit certainly does not ensure safety.

Mitigations for Approve Issue

The year 2023 saw numerous incidents involving approval attacks, and we seize this opportunity to reemphasize the importance of managing approvals. A security practice is to approve only the necessary amounts, or if convenience is a priority, to approve a slightly larger amount than needed.

BlockSec's MetaSuites offers a convenient Approval Diagnosis feature. Additionally, tools like Revoke Cash can be used to regularly check approval statuses.

Adopt Monitoring and Automatic Response Mechanisms

Ethereum is a dark forest, and everyone in the DeFi community faces various risks and challenges, even security experts. In 2023, we launched Phalcon Security, the industry's first automated response system designed not just for monitoring attacks but for actively blocking threats in real-time. Phalcon’s battle-tested capabilities have proven their effectiveness by successfully thwarting over 20 real-world hacks and rescuing more than $14,000,000 worth of assets. This innovation ensures that all stakeholders can sleep more soundly at night, knowing that proactive measures are in place to protect their investments.

Sign up for the latest updates
Newsletter - May 2026
Security Insights

Newsletter - May 2026

In May 2026, the DeFi ecosystem experienced three major security incidents. Echo Protocol lost ~$76.7M due to an administrator key compromise that enabled unauthorized minting of unbacked eBTC on Monad, StablR suffered ~$12.8M from a multisig governance breach leading to unauthorized stablecoin issuance, and the Verus-Ethereum Bridge incurred ~$11.7M following a type-validation failure that allowed a crafted supplemental export to be misclassified as a valid primary export.

~$16M Lost: DxSale, SquidRouterModule & More | BlockSec Weekly
Security Insights

~$16M Lost: DxSale, SquidRouterModule & More | BlockSec Weekly

This weekly security report covers 5 notable attack incidents between May 25 and May 31, 2026, with combined losses of approximately $16M across BNB Chain, Ethereum, Base, Arbitrum, and Cosmos. Key incidents include the DxSale token locker exploit ($7.3M) involving three missing state updates compounded by a deployer key compromise, the SquidRouterModule exploit ($3.2M) caused by improper input validation in an Axelar Bridge integration that allowed forged cross-chain messages to drain 86 Safe wallets, and the Gravity Bridge signing key compromise ($5.4M). Other incidents involve a compromised deployer key (Stake DAO, $91K) and a vulnerable off-chain bridge backend (Alephium, $300K).

~$104.6M Lost: Verus, RetoSwap & More | BlockSec Weekly
Security Insights

~$104.6M Lost: Verus, RetoSwap & More | BlockSec Weekly

This BlockSec weekly security report covers 5 notable attack incidents identified between May 18 and May 24, 2026, with total estimated losses of approximately $104.6M. Two incidents are analyzed in detail: the highlighted $11.7M Verus-Ethereum Bridge exploit, where a type-validation failure allowed a handcrafted supplemental export output to be misclassified as a valid primary export; and the $2.7M RetoSwap exploit on Monero, where a protocol-level authentication flaw in the P2P trade flow allowed an attacker to hijack the arbitrator role via a forged ACK message. Three additional key compromise incidents (EchoProtocol, Polymarket, StablR) accounted for ~$90.2M.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit