Cointime

Cointime

Download App
iOS & Android

Unchecked Route Parameter Allows Exploit in SushiSwap RouteProcessor2, SlowMist Reports

Cointime Official

April 9 (Cointime) - Cybersecurity firm SlowMist's Security Team reported an exploit in SushiSwap RouteProcessor2, a smart contract used for token swapping.

"The root cause is that ProcessRoute does not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue by constructing a malicious route parameter that causes the contract to read a Pool created by the attacker," SlowMist explained in a tweet.

The SlowMist Security Team urges users of RouteProcessor2 to revoke approval for the affected addresses as soon as possible.

Read full thread:

1/ The root cause is that ProcessRoute does not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue by constructing a malicious route parameter that causes the contract to read a Pool created by the attacker.

2/ Since there is no check for the legality of the Pool in the contract, the lastCalledPool variable is directly set to Pool, and the swap function of the Pool is called.

3/ The malicious Pool calls back the RouteProcessor2's uniswapV3SwapCallback function in its swap function. Since the lastCalledPool variable has been set to Pool, the check for msg.sender in uniswapV3SwapCallback is bypassed.

4/ The attacker exploits this issue to construct token transfer parameters when the malicious Pool calls back the uniswapV3SwapCallback function, stealing tokens from other users who have approved RouteProcessor2.

5/ Fortunately, some users' funds have been front-running by white hats, and there is hope for recovery. The SlowMist Security Team advises users of RouteProcessor2 to revoke approval for the following addresses ASAP.

6/

ETH: 0x044b...7357

BSC: 0xD75F...6550

ARB: 0xA7ca...0e5c

AVAX: 0xbACE...9C4F

FTM: 0x3e60...c715

Gnosis: 0x145d...2E6F

Moonbeam: 0x1838...7480

Moonriver: 0x3D2f...844F

OP: 0xF0cB...eF49

Polygon: 0x5097...649a

SushiSwap Cybersecurity
Comments

All Comments

Recommended for you

  • BTC Surpasses $70,000

    Market data shows that BTC has broken through $70,000, currently trading at $70,011.9. The 24-hour decline has narrowed to 1.11%. The market is experiencing significant volatility, so please implement risk control measures.

  • BTC Drops Below $69,500

    Market data shows that BTC has fallen below $69,500, currently trading at $69,492.81. It has experienced a 2.2% decline in the past 24 hours. The market is experiencing significant volatility, so please implement risk control measures.

  • CLARITY Act Draft: Ban on Stablecoin Yields for Holding Only

    On March 24, according to CoinDesk, cryptocurrency industry practitioners on Monday saw the latest provisions regarding stablecoin yields in the revised version of the Senate's "Digital Asset Market Clarity Act" for the first time during a closed-door review meeting on Capitol Hill in Washington. The initial impression was that the relevant language was too narrow and lacked clarity. This new provision was released last Friday by Senators Angela Alsobrooks and Thom Tillis. According to a person familiar with the current draft, the new provision will prohibit earning yields solely from holding stablecoins, while restricting any practices that equate such programs with bank deposits, and imposing further limitations on other potentially permissible activities. The specific mechanism for determining activity-based stablecoin rewards remains unclear. This compromise stems from the lobbying battle between the crypto and banking industries. The banking industry insists that stablecoin rewards should not resemble interest-bearing bank deposits, arguing that such competing products could harm the banking sector and stifle lending. The final compromise allows for reward programs based on user stablecoin activities but prohibits balance-based rewards. This closed-door review aims to push the Senate Banking Committee to schedule a hearing, a significant step for the bill towards a full Senate vote. Similar versions of the "Clarity Act" have passed the House of Representatives in previous years, and another version has also passed the Senate Agriculture Committee's markup process. The bill's progress still faces other obstacles: all parties still need to reach an agreement on the DeFi regulatory framework, and Democrats are simultaneously insisting on including provisions that prohibit senior government officials from seeking personal gain from the cryptocurrency industry, a clause clearly targeting President Trump. (Dongxin News Agency)

  • Iran's IRGC: All Vessels Must Coordinate Passage Through Strait

    According to Al Jazeera: The Iranian Revolutionary Guard Corps (IRGC) Navy stated that the container ship 'Celine' was forced to leave the area because it did not possess a permit to pass through the Strait of Hormuz. The IRGC Navy further stated that any vessel transiting the Strait of Hormuz must coordinate fully with Iranian maritime authorities. (Jins10)

  • Circle Shares Plunge Over 16%, Hitting Largest Single-Day Drop Since June 2025

    Circle (CRCL) shares fell by more than 16% intraday, marking the largest single-day decline since June 2025. The stock is currently trading at $106.1.

  • BTC Drops Below $70,000

    Market data shows that BTC has fallen below $70,000, currently trading at $69,995.57. The cryptocurrency has seen a 1.86% decrease in the last 24 hours, indicating significant price volatility. Investors are advised to manage their risk accordingly.

  • Nasdaq Extends Losses to 1%

    The Nasdaq extended its losses to 1%.

  • Iran Denies Peace Talks Rumors; US Stocks Open Lower

    March 24th news: US stocks opened lower, with the Dow Jones Industrial Average down 0.24%, the S&P 500 index down 0.62%, and the Nasdaq Composite down 0.63%. Li Auto (LI.O) rose 2.8% after announcing a $1 billion share buyback plan. Amazon (AMZN.O) fell 1% following a "service disruption" at its Amazon Web Services (AWS) region in Bahrain. (Jinshi)

  • Tether Hires Big Four Firm for First Full Audit

    On March 24, Tether announced it has engaged one of the Big Four accounting firms to complete its first full audit.

  • BlackRock Transfers 7,552 ETH to Coinbase Prime Address

    According to data monitored by Arkham, approximately one hour ago, BlackRock transferred a total of about 7,552 ETH to a Coinbase Prime address through its Ethereum exchange-traded fund, ETHA. The value of this transfer is approximately $16.31 million. Further transfer operations may follow.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company