A major vulnerability has been identified in the DeFi protocol SushiSwap by security firm PeckShield, resulting in a loss of over $3.3 million.

The exploit involved the ‘RouterProcessor2’ contract used for trade routing on the SushiSwap exchange. According to PeckShield, the RouterProcessor2 contract has an approve-related bug, which leads to the loss of funds. Jared Grey, head developer at SushiSwap, confirmed the issue and urged users to revoke permissions for all contracts on SushiSwap as a security measure.

The bug primarily affected a single user, 0xsifu, who lost over $3.3 million in the exploit. The vulnerability appears to have impacted users who approved SushiSwap contracts within the last four days. Security teams are currently investigating the issue, tracking stolen funds, and working to recover affected assets.

Recovery efforts are underway, with the first attacker, 0x9deff, returning 90 ETH of the 100 they had stolen, while BlockSec rescued 100 ETH and pledged to return it shortly.

Negotiations between sifuvision.eth and c0ffeebabe.eth are in progress, with most stolen funds traced to “beaverbuild, rsync-builder, and Lido: Execution Layer Rewards Vault.”