Sushiswap contract exploit: Revoke permissions in wallet if you have interacted with Sushiswap in the past 4 days

As you may have seen, news broke last night that an approval contract on Sushiswap was exploited:




We've already had reports of users in the Telegram who had their Moons and potentially other funds stolen.

If you used Sushiswap recently please take a moment to revoke permissions in your MetaMask/wallet. On Arbitrum Nova you can review token approvals for your address here:


  • Sushi also has their own approval checker for the exploited contract here:

You can review token approvals across multiple chains and easily revoke using a tool like

EDIT 2 pm ET: Update from Sushi CTO here with some important info:

If you are a user and you have been affected, please check for the output address your funds have gone to. Our whitehat rescue address is 0x74Ebb8e8d0B0cc65F06040EB0f77B5DA0e33fFeE

If you have another address for where your funds went, then please contact us at w/ the tx hash and chain you were on

There is no risk at this time with using Sushi Protocol, and the UI. All exposure to RouterProcessor2 has been removed from the front end, and all LPing / current swap activity is safe to do

Will update with any further developments and when post-mortem is released.

50 thoughts on “Sushiswap contract exploit: Revoke permissions in wallet if you have interacted with Sushiswap in the past 4 days”

  1. This sucks.

    Granted, defi is intrinsically the epitome of “play stupid games, win stupid prizes.”

    Put lamely, you win some, you use lose some.

    Wish all who are affected the best.

  2. Problem is when there is no one to hold liable nothing stops a dev to hack/steal (directly or
    Indirectly by introducing a vulnerability and working with a third party) and claim they been hacked.

  3. The more this stuff happens, the more of a bitcoin maxi I inch my soul closer too

  4. This is my first time seeing a warning flair on any post on r/cc… I did panic a little. Hopefully everyone is ok

  5. So if Sushi’s tool says I’m safe should I revoke anyway? or just leave it?

  6. is an option to review all permissions you’ve given from your wallet.

  7. To avoid having to manually revoke every contract after your done using it, set a custom spending limit when approving the contract

    On metamask you can press the Edit Permissions button:

    Then set the custom limit to exactly how many coins you intend to use for this transaction:

    Once the limit is set, you can approve the transaction:

    After the transaction is done the contract no longer has permission to spend any more tokens so your wallet is not in any danger anymore

  8. Shouldn’t be more secure that after accepting any smart contract you revoke it later always? The transaction was done, better be safe than sure, maybe it will be a standard to do or I’m wrong?

  9. I took a look and it appears my LP position has disappeared. Is there a way to confirm this? I am not an expert blockchain investigator.

  10. Well I’m away from my wallet so I guess I won’t know about my funds on sushi until I get back. Should be a fun surprise 😀

  11. Why does this keep happening in ETH dapps? Is this a contract language limitation/vulnerability?

  12. WARNING! Your old liquidity is still there even if you can’t see it like you used to.

    I had a mini heart attack after returning home from a 5 days trip and not seeing my shit. Turns out the contracts were updated and your liquidity is safe, unless you interacted in the past 4 days like this post says.

    It’s in Legacy Positions tab, but I can’t open it for some reason. The website is shitting itself right now.

    You should be able to remove the old liquidity from this link

  13. For your own safety, go to official website etherscan(dot).io check “more” > “services” > “token approvals” and revoke any permissions for SushiSwap dapp


    Here’s a tool someone built to quickly check if your address has approved this contract or not.

  15. On Sushi it says my liquidity position is 0 and my staked position is 0. I am currently on the Unstake Liquidity box with the button to aprrove SLp and balance shows 5.6. Are my funds safe? I tried to unstake but its not really working. Any advise would be much appreciated

  16. Bro this is not a good look. We all know how fucked up defi is right now but this was too close to home for me personally, I will be cautious about providing liquidity for the foreseeable future.

  17. Thank you for the heads up OP! I went to check the LP this morning and wasnt sure why it wasnt loading, then I saw on Coin Market Cap that Moons were down 15%. Glad I revoked everything.

    Keeping my liquidity in the pool as well. If you’ve revoked permissions you should be fine.

  18. someone was just telling me sushiswap would be super hard to get hacked. Smh.

  19. Sucks for any of the liquidity providers who got affected by this. Hopefully their moons are somehow retrieved and given back to the owners for the future moons sake.

  20. Bought more moons this morning and then finally provided liquidity (funded mostly by ARB drop) before I knew this was going on. Still keeping liquidity in the pool though, revoked contracts though.

    Incidentally not glad this happened, but as someone not as familiar with ETH side of the house I had some old stuff to revoke.

  21. I’m pro crypto, but contrast stuff like this with all the talk of replacing traditional banking. We need some fresh security and UX ideas regarding smart contracts.

  22. lmao the ceo (?) tweeting that its such a good thing abt its high user volume before realising that its due to the exploit…

  23. …… and I am locked out of Metamask —- cos not at home, and wants password instead of fingerprint……

    Fun times 🙁

  24. You should approve only what you need for each transaction on chains that are cheap. The extra half cent and couple seconds it takes to approve each tx on arb nova is worth the piece of mind.

Comments are closed.