SushiSwap Suffers Approve-Related Exploit

Monday, April 10, 2023

Quick Take

  • SushiSwap suffers an approval-related exploit.
  • Stackr unveils an SDK for building micro rollups.
  • Cemlot rolls out its V2 upgrade.
  • Etherscan hides zero-value token transfers.

This episode is made possible thanks to Ether Capital!

Looking for more transparency when it comes to your staking operations? Try out Ether Capital’s new staking dashboard. It’s a free analytics tool that tracks your rewards and monitors validator performance from one platform. Register today to access the beta version:

SushiSwap users are urged to revoke token approvals on all chains due to an exploitable bug on the protocol’s RouterProcessor2 contract. SushiSwap deployed the new contract on April 5th in an effort to improve trade routing. The exploited contract is now removed from the Sushi Protocol. Only users who approved the RouterProcessor2 contracts are affected.

According to a Dune dashboard, close to 2,500 wallets have approved the exploited contract. Roughly 67% of the affected wallets have already revoked approvals to the contact. Affected wallets with open approvals remain at risk of being exploited. SushiSwap liquidity providers were not affected. Sushi Head Chef Jared Grey said the team is working to recover funds and aims to make users whole.

Security firm PeckShield noted that roughly 1,800 ether was drained from a single user. Smart contract auditing firm BlockSec was able to rescue 100 ether. More than $400k worth of assets has been sent to a whitehat rescue address set up by SushiSwap.

Prepare For Staking Withdrawals

Ethereum validators are required to update their clients to the latest version ahead of the Shapella upgrade this Wednesday, April 12th at 10:26 PM UTC. Once the upgrade goes live, validators with 0x00 withdrawal credentials will be able to set their withdrawal address.  Once set, the withdrawal address cannot be changed.

There is also no deadline for changing withdrawal credentials. The upgrade will also enable partial and full withdrawals. While validators can withdraw staking rewards at any time, full withdrawals have been limited to eight validators per epoch. A total of 566k validators have deposited 18.1 million ether onto the Beacon Chain, earning a total of 1.1 million ether in staking rewards.

Stackr SDK For Building Micro Rollups

Stackr Labs unveiled its SDK for building app-specific rollups in Python and JavaScript. Stackr also introduced the concept of micro-rollups, where individual functions within a dapp are developed, optimized, and maintained as independent state machines. The SDK also allows developers to define data structures for their dapp’s state.

Mirco-rollups written in various languages leverage an aggregator network that finalizes transactions on L1. The aggregator network works similarly to bundlers in EIP-4337. Stackr Labs provides modular tools for creating logic-specific state machines. While the SDK is not yet released, developers can join a waitlist for early access.

Cemlot DEX Introduces V2 Upgrade

Cemlot, a DEX native to Arbitrum, introduced plans for the second iteration of its protocol. Camelot also launched a new concentrated liquidity AMM, which marks the first of three stages in the release of Camelot V2. The new and more efficient AMM features dynamic volatility fees, limit orders, rebasing tokens, and custom tick spacing.

The new AMM is built on the codebase of Algebra, a liquidity protocol for DEXs. In the second stage of the upgrade, Camelot will deploy a new UI. Concentrated liquidity high-efficiency farms will be deployed in the third and final stage of the V2 upgrade. Concentrated liquidity farms provide liquidity providers exposure to higher volume and fees.

Etherscan Now Hids Zero-Value Token Transfers

Etherscan will now hide zero-value token transfers on its block explorer by default. Zero-value token transfers are commonly sent in 'address poisoning' attacks where an attacker spams a victim’s wallet with empty transactions in an effort to trick a victim into transferring their assets to a fraudulent address that looks similar to their own. Users can manage the new feature on the Etherscan site settings page.