SushiSwap approval bug leads to $3.3 million exploit

cointelegraph.com:

A bug on a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to over $3 million in losses in the early hours of April 9, according to several security reports on Twitter. 

Blockchain security companies Certik Alert and Peckshield posted about an unusual activity related to the approval function in Sushi's Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.

It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu. If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q

According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

Sushi's head developer Jared Grey urged users to revoke permissions for all contracts on the protocol. "Sushi's RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We're working with security teams to mitigate the issue," he noted. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's team regarding 700 more ETH.

Hours after the incident, Grey took to Twitter to announce that a "large portion of affected funds'' were recovered in a whitehat security process. "We've confirmed recovery of more than 300ETH from CoffeeBabe of Sifu's stolen funds. We're in contact with Lido's