Background and Root Cause
FRM and cFRM liquidity on Arbitrum is added to SushiSwap. We also integrated SushiSwap DEX routers and pools with MultiSwap. We recently observed exploit vectors resulting from the approval bug identified in SushiSwap's Router Processor 2 exploit on April 8th, 2023.
Reference to SushiSwap Approval Exploit:
This bug impacts anyone who has provided approval to this router, directly or indirectly. This means if you have swapped tokens on SushiSwap in the past, specifically around April 8th, 2023, you should review this guide. We have seen attackers using the router to extract funds from user addresses for tokens approved on this router.
Shortly before the time of this exploit, FRM and cFRM liquidity were also added to SushiSwap. Additionally, we were conducting MultiSwap Beta around the time of this exploit, so we are sharing precautionary measures with any Beta Users.
Impacted Users
As described in the Alpha and Beta instructions for MultiSwap Beta Testing pointed out, users should only use burner wallets to test any application, network infra, or protocol functionality. Beta applications are typically in the early stage. Beta releases are more likely to be vulnerable even to third-party exploit vectors, such as this case, where a SushiSwap exploit can impact a beta MultiSwap contract.
If you are in the following set of users, please review this guide and take measures to revoke approvals:
You have swapped tokens on SushiSwap (on any network)
You have participated in MultiSwap Beta or used MultiSwap during private or public beta phases
Instructions Outline
Mitigation steps
Revoke approval options
How to revoke approval using Revoke.Cash?
Resources
Mitigation steps
These steps are highly recommended to avoid loss of funds.
We encourage users to revoke approvals on impacted contracts as a mitigation measure. SushiSwap has since rectified the router bug and deployed a new router, but all users should check for approvals on the impacted contracts and revoke approvals.
Reference to updates about SushiSwap Approval Exploit:
We are providing a variety of options to revoke approvals below.
Revoke approval options
SushiSwap deployed the affected router to 14 networks, including Arbitrum, Arbitrum Nova, Avalanche, Boba, BSC, Ethereum, Fantom, Fuse, Gnosis, Moonbeam, Moonriver, Optimism, Polygon, and Polygon ZkEVM. You can use the explorers on these networks to locate the exploited contract addresses and then revoke approvals. However, there is a more straightforward method. We'll share instructions detailing how you can use Revoke.Cash to revoke approvals from exploited and impacted contracts.
Here are your options:
Use each network's explorer to revoke approvals (not recommended)
Use Revoke Cash to revoke approvals (recommended)
If you chose option 1, you must use the "Token Approvals" tool on each network's explorer to revoke these approvals.
If you choose option 2, Revoke Cash will find all your approvals across chains.
How to revoke approval using Revoke.Cash?
Go to Revoke.Cash: https://revoke.cash/
Connect your wallet
Revoke.Cash pulls up the approvals you have provided for the current connected network.
At this point, your screen should look something like the following screenshot if you are connected to Ethereum in your connected wallet
โ
You will see a search bar titled "Search by Authorized Spender Address", as shown in the screenshot above. In this search bar, enter each exploited and impacted address. You can see the example below where the MultiSwap Beta Impacted address is entered in the search, and it pulls up the list of tokens that have been approved on this contract.
โ
You must revoke each token by clicking the "Revoke" button on the right.
Make sure to repeat this process for each address provided in the Exploited and Impacted Contract Addresses List below.
Resources
Exploited and Impacted Contract Addresses List
Unfortunately, there isn't a public list of SushiSwap exploited contract addresses across all networks. The Ethereum contract address was published, and we have also gathered the Arbitrum address. However, addresses for other networks are not retrievable. So, we recommend revoking approvals on all addresses that Revoke Cash loads for you, not just the list of addresses provided below.
Ethereum:
Address Name | Address | Type |
SushiSwap Router 2 Processor | 0x044b75f554b886A065b9567891e45c79542d7357 | Exploited |
BSC:
Address Name | Address | Type |
SushiSwap Router 2 Processor | Unkown | Exploited |
MultiSwap Beta 1 | 0xd66C6a8277B4E258b4B6023F5B4085af00AfA9bB | Impacted |
MultiSwap Beta 2 | 0x7ca60aa20761ebc81f70bb93f5068be4e6765e87 | Impacted |
MultiSwap Beta 3 | 0xfdc68ff9adf88bc2b76f1eaf05bd8dfb169c5abf | Impacted |
Arbitrum:
Address Name | Address | Type |
SushiSwap Router 2 Processor | 0xA7caC4207579A179c1069435d032ee0F9F150e5c | Exploited |
MultiSwap Beta 1 | 0x0d618f4632C135e05d9fD795bab021e7DD3187c4 | Impacted |
Polygon:
Address Name | Address | Type |
SushiSwap Router 2 Processor | Unknown | Exploited |
MultiSwap Beta 1 | 0x72329a50E785bc1A414022D319E3a10A6f12184f | Impacted |
MultiSwap Beta 2 | 0x2aDa518B03C288a5eE1d65196Eaa8c2a6B351935 | Impacted |
Fantom:
Address Name | Address | Type |
SushiSwap Router 2 Processor | Unknown | Exploited |
MultiSwap Beta 1 | 0xb014edCb84b89480Ac21F36837B62Fa75a5BFf8a | Impacted |
MultiSwap Beta 2 | 0xAA209557B51C28a8D050fB500e67498EB3d1d92b | Impacted |
Avalanche:
Address Name | Address | Type |
SushiSwap Router 2 Processor | Unknown | Exploited |
MultiSwap Beta 1 | 0x066599eD3abB7Eaf517119d376254af13871e5B1 | Impacted |
MultiSwap Beta 2 | 0xC77885D17943640021F6e6997Ba6b2947Fb5CB13 | Impacted |
Conclusion
The steps above are needed due to the exploit identified with SushiSwap's Router 2 Processor. The impacted MultiSwap Beta contracts are listed, and the impact results from the beta contracts interacting in the early stages with the affected contract with approvals.
If you have any questions about the exploit or the revoke process, please contact our team by clicking the chat icon on the bottom right of this screen.