Prior exploit count

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-077 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Three distinct confirmed incidents: (1) MISO/JayPegs supply-chain exploit 2021-09-16 (~$3.1M, fully recovered); (2) Kashi KashiPairMediumRiskV1 stale-exchangeRate logic bug 2022-11-08 (~$120K, partial recovery); (3) RouteProcessor2 arbitrary-callback drain 2023-04-08 (~$3.3M, partial recovery ~$750K white-hatted). Excluded: Chef Nomi 2020 (founder-conduct, not contract exploit); SSS Rekt 2024 (Super Sushi Samurai, unrelated Blast L2 game). Three distinct root-cause exploits confirmed.

Sources #

URL
Beyond the market risk: a logic bug identified in SushiSwap's KashiPairMediumRiskV1 contractBlockSec Medium — Kashi exploit (NOT in hacksdatabase — coverage gap)retrieved 2026-05-17
Internal
JayPegs Automart (MISO/SushiSwap) hack report — hacksdatabasehacksdatabase/hacks/jaypegs-automart.mdretrieved 2026-05-17
Internal
SushiSwap RouteProcessor2 exploit hack report — hacksdatabasehacksdatabase/hacks/sushi-yoink-rekt.mdretrieved 2026-05-17

Methodology #

Count the number of distinct incidents in the hack database affecting this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-077 score red collected_at 2026-05-16 19:50:37