All Collections
Multiswap
General
Revoke Approvals on Exploited and Test Contracts
Revoke Approvals on Exploited and Test Contracts

Learn how to revoke approvals of your wallet for Exploited and Test Contracts

Taha Abbasi avatar
Written by Taha Abbasi
Updated over a week ago

Background and Root Cause

FRM and cFRM liquidity on Arbitrum is added to SushiSwap. We also integrated SushiSwap DEX routers and pools with MultiSwap. We recently observed exploit vectors resulting from the approval bug identified in SushiSwap's Router Processor 2 exploit on April 8th, 2023.

This bug impacts anyone who has provided approval to this router, directly or indirectly. This means if you have swapped tokens on SushiSwap in the past, specifically around April 8th, 2023, you should review this guide. We have seen attackers using the router to extract funds from user addresses for tokens approved on this router.

Shortly before the time of this exploit, FRM and cFRM liquidity were also added to SushiSwap. Additionally, we were conducting MultiSwap Beta around the time of this exploit, so we are sharing precautionary measures with any Beta Users.

Impacted Users

As described in the Alpha and Beta instructions for MultiSwap Beta Testing pointed out, users should only use burner wallets to test any application, network infra, or protocol functionality. Beta applications are typically in the early stage. Beta releases are more likely to be vulnerable even to third-party exploit vectors, such as this case, where a SushiSwap exploit can impact a beta MultiSwap contract.

If you are in the following set of users, please review this guide and take measures to revoke approvals:

  1. You have swapped tokens on SushiSwap (on any network)

  2. You have participated in MultiSwap Beta or used MultiSwap during private or public beta phases

Instructions Outline

  1. Mitigation steps

  2. Revoke approval options

  3. How to revoke approval using Revoke.Cash?

  4. Resources

Mitigation steps

These steps are highly recommended to avoid loss of funds.

We encourage users to revoke approvals on impacted contracts as a mitigation measure. SushiSwap has since rectified the router bug and deployed a new router, but all users should check for approvals on the impacted contracts and revoke approvals.

We are providing a variety of options to revoke approvals below.

Revoke approval options

SushiSwap deployed the affected router to 14 networks, including Arbitrum, Arbitrum Nova, Avalanche, Boba, BSC, Ethereum, Fantom, Fuse, Gnosis, Moonbeam, Moonriver, Optimism, Polygon, and Polygon ZkEVM. You can use the explorers on these networks to locate the exploited contract addresses and then revoke approvals. However, there is a more straightforward method. We'll share instructions detailing how you can use Revoke.Cash to revoke approvals from exploited and impacted contracts.

Here are your options:

  1. Use each network's explorer to revoke approvals (not recommended)

  2. Use Revoke Cash to revoke approvals (recommended)

If you chose option 1, you must use the "Token Approvals" tool on each network's explorer to revoke these approvals.

If you choose option 2, Revoke Cash will find all your approvals across chains.

How to revoke approval using Revoke.Cash?

  1. Connect your wallet

  2. Revoke.Cash pulls up the approvals you have provided for the current connected network.

  3. At this point, your screen should look something like the following screenshot if you are connected to Ethereum in your connected wallet
    โ€‹

  4. You will see a search bar titled "Search by Authorized Spender Address", as shown in the screenshot above. In this search bar, enter each exploited and impacted address. You can see the example below where the MultiSwap Beta Impacted address is entered in the search, and it pulls up the list of tokens that have been approved on this contract.
    โ€‹

  5. You must revoke each token by clicking the "Revoke" button on the right.

  6. Make sure to repeat this process for each address provided in the Exploited and Impacted Contract Addresses List below.

Resources

Exploited and Impacted Contract Addresses List

Unfortunately, there isn't a public list of SushiSwap exploited contract addresses across all networks. The Ethereum contract address was published, and we have also gathered the Arbitrum address. However, addresses for other networks are not retrievable. So, we recommend revoking approvals on all addresses that Revoke Cash loads for you, not just the list of addresses provided below.

Ethereum:

Address Name

Address

Type

SushiSwap Router 2 Processor

0x044b75f554b886A065b9567891e45c79542d7357

Exploited

BSC:

Address Name

Address

Type

SushiSwap Router 2 Processor

Unkown

Exploited

MultiSwap Beta 1

0xd66C6a8277B4E258b4B6023F5B4085af00AfA9bB

Impacted

MultiSwap Beta 2

0x7ca60aa20761ebc81f70bb93f5068be4e6765e87

Impacted

MultiSwap Beta 3

0xfdc68ff9adf88bc2b76f1eaf05bd8dfb169c5abf

Impacted

Arbitrum:

Address Name

Address

Type

SushiSwap Router 2 Processor

0xA7caC4207579A179c1069435d032ee0F9F150e5c

Exploited

MultiSwap Beta 1

0x0d618f4632C135e05d9fD795bab021e7DD3187c4

Impacted

Polygon:

Address Name

Address

Type

SushiSwap Router 2 Processor

Unknown

Exploited

MultiSwap Beta 1

0x72329a50E785bc1A414022D319E3a10A6f12184f

Impacted

MultiSwap Beta 2

0x2aDa518B03C288a5eE1d65196Eaa8c2a6B351935

Impacted

Fantom:

Address Name

Address

Type

SushiSwap Router 2 Processor

Unknown

Exploited

MultiSwap Beta 1

0xb014edCb84b89480Ac21F36837B62Fa75a5BFf8a

Impacted

MultiSwap Beta 2

0xAA209557B51C28a8D050fB500e67498EB3d1d92b

Impacted

Avalanche:

Address Name

Address

Type

SushiSwap Router 2 Processor

Unknown

Exploited

MultiSwap Beta 1

0x066599eD3abB7Eaf517119d376254af13871e5B1

Impacted

MultiSwap Beta 2

0xC77885D17943640021F6e6997Ba6b2947Fb5CB13

Impacted

Conclusion

The steps above are needed due to the exploit identified with SushiSwap's Router 2 Processor. The impacted MultiSwap Beta contracts are listed, and the impact results from the beta contracts interacting in the early stages with the affected contract with approvals.

If you have any questions about the exploit or the revoke process, please contact our team by clicking the chat icon on the bottom right of this screen.

Did this answer your question?