RouteProcessor2 Exploit

On April 8, 2023, Sushi core contributors soft launched V3 upgrades for the protocol that included a new router called RouteProcessor2 to facilitate swaps from the frontend. The router was planned to be used across each iteration of Sushi’s AMM pools (v2, Trident, v3), and to also be used for future aggregating across other protocols (Uni, Pancake, etc.). The RouteProcessor2 contract was deployed to 14 networks including: Arbitrum, Arbitrum Nova, Avalanche, Boba, BSC, Ethereum, Fantom, Fuse, Gnosis, Moonbeam, Moonriver, Optimism, Polygon, and Polygon ZkEVM. Unfortunately the contract had a critical vulnerability. To read more about what happened, please refer to our post-mortem.

Revoke approval

We highly recommend you revoke approval even if you have no hacked funds. Without revoking approval you remain vulnerable and funds can get hacked later on.

No user connected

Claim whitehacked funds

Please revoke any token approvals you have on RouteProcessor2. Once you have revoked approvals, you will be able to claim any lost funds resulting from the exploit.

No user connected
If your funds rest in the whitehat contract, they are claimable here

If you do not see any available claims but you did get your funds hacked, fill in the following form. Blackhat funds will take longer to process, as the team will verify the legitimacy against on-chain data that validates them and will get paid accordingly.


Frequently asked questions