April 9 (Cointime) - Cybersecurity firm SlowMist's Security Team reported an exploit in SushiSwap RouteProcessor2, a smart contract used for token swapping.

"The root cause is that ProcessRoute does not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue by constructing a malicious route parameter that causes the contract to read a Pool created by the attacker," SlowMist explained in a tweet.

The SlowMist Security Team urges users of RouteProcessor2 to revoke approval for the affected addresses as soon as possible.

Read full thread:

1/ The root cause is that ProcessRoute does not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue by constructing a malicious route parameter that causes the contract to read a Pool created by the attacker.

2/ Since there is no check for the legality of the Pool in the contract, the lastCalledPool variable is directly set to Pool, and the swap function of the Pool is called.

3/ The malicious Pool calls back the RouteProcessor2's uniswapV3SwapCallback function in its swap function. Since the lastCalledPool variable has been set to Pool, the check for msg.sender in uniswapV3SwapCallback is bypassed.

4/ The attacker exploits this issue to construct token transfer parameters when the malicious Pool calls back the uniswapV3SwapCallback function, stealing tokens from other users who have approved RouteProcessor2.

5/ Fortunately, some users' funds have been front-running by white hats, and there is hope for recovery. The SlowMist Security Team advises users of RouteProcessor2 to revoke approval for the following addresses ASAP.

6/

ETH: 0x044b...7357

BSC: 0xD75F...6550

ARB: 0xA7ca...0e5c

AVAX: 0xbACE...9C4F

FTM: 0x3e60...c715

Gnosis: 0x145d...2E6F

Moonbeam: 0x1838...7480

Moonriver: 0x3D2f...844F

OP: 0xF0cB...eF49

Polygon: 0x5097...649a