routeprocessor2

ChainCatcher message, SushiSwap tweeted that the RouteProcessor2 vulnerability compensation portal is now live, and users who can receive compensation are those whose funds are held in contracts starting with 0x74eb.It is reported that SushiSwap will regularly update the contract to include funds that may continue to be recovered in the future. Users whose funds are not included in this contract need to fill out a Google form to initiate a separate claims process. (Source link)

ChainCatcher news, SushiSwap released the RouteProcessor2 event analysis report. The report states that due to 18 replay transactions, the 1800 WETH initially drained from the first user wallet eventually entered multiple wallets. A total of 885 ETH has been refunded so far. Additionally, 795 ETH is currently in the execution layer reward vault.Sushi stated that the last remaining portion of the stolen funds will be borne by Sushi and refunded, and a claims process is in place for users affected by both white hat and black hat funds. The user claim form is currently under verification, and the Merkle claim contract is undergoing an audit. Sushi has proposed different compensation methods for two types of affected users: for users with recovered funds, they can request through the Merkle tree contract via the Sushi UI; for users with unrecovered funds, Sushi will set up a separate claims process. (Source link)

ChainCatcher message, according to the intelligence from the SlowMist security team, the SUSHI RouteProcessor2 has been attacked. The SlowMist security team shared the following in a brief:The root cause is that ProcessRoute did not perform any checks on the user-provided route parameter, allowing the attacker to exploit this issue to construct a malicious route parameter that made the contract read a Pool created by the attacker.Since there was no check in the contract to verify the legitimacy of the Pool, the lastCalledPool variable was directly set to the Pool, and the Pool's swap function was called.The malicious Pool called the RouteProcessor2's uniswapV3SwapCallback function in its swap function. Since the lastCalledPool variable had been set to the Pool, the check on msg.sender in uniswapV3SwapCallback was bypassed.The attacker exploited this issue to construct token transfer parameters when the malicious Pool called the uniswapV3SwapCallback function, in order to steal tokens from other users who had authorized RouteProcessor2.Fortunately, some users' funds have been rescued by white hats and are expected to be recovered. The SlowMist security team advises users of RouteProcessor2 to promptly revoke their authorization for 0x044b75f554b886a065b9567891e45c79542d7357.