Cointime

Cointime

Download App
iOS & Android

Unchecked Route Parameter Allows Exploit in SushiSwap RouteProcessor2, SlowMist Reports

Cointime Official

April 9 (Cointime) - Cybersecurity firm SlowMist's Security Team reported an exploit in SushiSwap RouteProcessor2, a smart contract used for token swapping.

"The root cause is that ProcessRoute does not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue by constructing a malicious route parameter that causes the contract to read a Pool created by the attacker," SlowMist explained in a tweet.

The SlowMist Security Team urges users of RouteProcessor2 to revoke approval for the affected addresses as soon as possible.

Read full thread:

1/ The root cause is that ProcessRoute does not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue by constructing a malicious route parameter that causes the contract to read a Pool created by the attacker.

2/ Since there is no check for the legality of the Pool in the contract, the lastCalledPool variable is directly set to Pool, and the swap function of the Pool is called.

3/ The malicious Pool calls back the RouteProcessor2's uniswapV3SwapCallback function in its swap function. Since the lastCalledPool variable has been set to Pool, the check for msg.sender in uniswapV3SwapCallback is bypassed.

4/ The attacker exploits this issue to construct token transfer parameters when the malicious Pool calls back the uniswapV3SwapCallback function, stealing tokens from other users who have approved RouteProcessor2.

5/ Fortunately, some users' funds have been front-running by white hats, and there is hope for recovery. The SlowMist Security Team advises users of RouteProcessor2 to revoke approval for the following addresses ASAP.

6/

ETH: 0x044b...7357

BSC: 0xD75F...6550

ARB: 0xA7ca...0e5c

AVAX: 0xbACE...9C4F

FTM: 0x3e60...c715

Gnosis: 0x145d...2E6F

Moonbeam: 0x1838...7480

Moonriver: 0x3D2f...844F

OP: 0xF0cB...eF49

Polygon: 0x5097...649a

SushiSwap Cybersecurity
Comments

All Comments

Recommended for you

  • Tether makes a $100 million strategic equity investment in Anchorage Digital

    Tether announced a $100 million strategic equity investment in Anchorage Digital. Anchorage Digital Bank N.A. is the first federally regulated digital asset bank in the United States, providing staking, custody, governance, settlement, and stablecoin issuance services to global institutions and innovators to promote the shared goal of advancing the next phase of digital asset applications.

  • ETH falls below $2100

    the market shows ETH fell below $2100, currently at $2099.68, with a 24-hour decline of 7.97%. The market is highly volatile, please manage your risk accordingly.

  • U.S. Labor Department: Non-farm payrolls will be released on February 11, CPI data will be released on February 13.

     U.S. Bureau of Labor Statistics has rescheduled the release date of the January non-farm payroll report to February 11; the January CPI report release date has been rescheduled to February 13. In addition, the December Job Openings and Labor Turnover Survey report will be released on February 5.

  • Bloomberg ETF analysts: ETF funds showed high stability during the Bitcoin decline, with 94% of holdings remaining stable.

     Bloomberg ETF analyst Eric Balchunas stated that despite Bitcoin experiencing a significant pullback of about 40% and some investors still being at a floating loss, only about 6% of assets in Bitcoin ETFs have been withdrawn, with approximately 94% of funds remaining, indicating that ETF investors' holdings remain relatively resilient.

  • An entity sold a large amount of ETH on Hyperliquid to repay its Aave loans held in 11 wallets.

     according to MLM monitoring, an entity has been selling a large amount of ETH on Hyperliquid to repay its Aave loans in 11 wallets. The entity sold 31,700 ETH (worth $80.8 million) on the Hyperliquid platform in the past 5 hours, bringing the total sales over the past 4 days to 47,000 ETH (worth $120 million). It is reported that the entity deposited 49,600 ETH (worth $112 million) into the Aave account and borrowed $86 million USDC against it as collateral. However, due to the decline in ETH prices, the institution's position is close to liquidation, so it has to continue selling ETH to repay the debt and avoid being fully liquidated.

  • CMC released its January 2026 exchange reserve ranking report, with Binance leading the pack.

    On February 4th, CoinMarketCap released the "Mainstream Crypto Exchange Reserve Rankings Report for January 2026." The data shows that Binance ranks first among mainstream exchanges with a total reserve size of approximately 155.64 billion USD, significantly leading the market. The report indicates that Binance's stablecoin reserves are about 47.47 billion USD, accounting for 30.5%, while Bitcoin-related reserves are about 49.84 billion USD, the highest proportion. The overall asset structure maintains high liquidity and diversification.

  • The US spot Bitcoin ETF saw a net outflow of $269.93 million yesterday.

     according to Trader T's monitoring, the US spot Bitcoin ETF had a net outflow of $269.93 million yesterday.

  • BTC falls below $76,000

    the market shows BTC falling below 76,000 USD, currently at 75,997.97 USD, with a 24-hour decline of 3.42%. The market is highly volatile, please manage your risk accordingly.

  • UBS Group increased its stake in Strategy by 3.23 million shares, bringing its total holdings to 5.76 million shares.

     according to CoinDesk, that Switzerland's largest bank UBS Group increased its holdings by 3.23 million shares in the Bitcoin reserve company Strategy, bringing its total holdings in Strategy to 5.76 million shares (valued at $805 million).

  • Wintermute: This bear market may end faster than previous ones, and the market will most likely recover in the second half of the year.

    Wintermute posted on X stating that it is clear we are already in a bear market, and in fact, it has lasted for some time—especially judging by the performance of altcoins, the extreme concentration of rebounds, and market sentiment on X. However, what makes this bear market different is that it was not triggered by structural collapses like FTX, Luna, or 3AC, but rather driven by macroeconomic conditions and cyclical trend changes, representing a relatively natural deleveraging process, with the core driving forces being changes in positions, risk appetite, and market narratives.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company