Arbitrary call with user-controlled target

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-013 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RouteProcessor2 (0x044b75, now deactivated): exploitable arbitrary-call pattern was the root cause of the April 2023 $3.3M exploit. Post-mortem and Hacken analysis confirm the failure to validate user-provided routes allowed an attacker to establish a malicious pool and drain user-approved tokens. RP2 is now removed from production routing. RP3 (Zellic-audited Apr 2023) and RP4 replaced it. Scoring yellow: the pattern was present in RP2 but remediated; RP4 has no confirmed independent audit, so the risk of recurrence in the current routing layer cannot be fully ruled out.

Sources #

Etherscan
RouteProcessor2 EtherscanRouteProcessor2 0x044b75 — deactivated/removed from production routingretrieved 2026-05-17
URL
RouteProcessor2 Post Mortem — SushiRP2 post-mortem — arbitrary callback exploit; contract removed post-incidentretrieved 2026-05-17
URL
Hacken SushiSwap DEX Hack ExplainedHacken RP2 hack explained — 'failure to validate access permissions halfway through a swap'retrieved 2026-05-17

Methodology #

Determine whether any contract performs `.call(target, data)` where target and/or data is user-supplied without a target allowlist or selector filter.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-013 score yellow collected_at 2026-05-16 19:50:37