Same-root-cause repeat exploit
Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-079 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Three incidents, three entirely distinct root-cause clusters: (1) off-chain contractor code injection into auction front-end wallet address; (2) on-chain lending stale exchangeRate in borrow() function used by flash-loan exploit; (3) on-chain router processRoute() failure to validate Uniswap V3 pool callback origin. No same-root-cause repeat pattern observed.
Sources #
- InternalJayPegs Automart (MISO/SushiSwap) hack report — hacksdatabasehacksdatabase/hacks/jaypegs-automart.mdretrieved 2026-05-17
- SushiSwap RouteProcessor2 exploit hack report — hacksdatabasehacksdatabase/hacks/sushi-yoink-rekt.mdretrieved 2026-05-17
- Kashi KashiPairMediumRiskV1 logic bug — root causeBlockSec Medium — Kashi root cause: stale exchangeRate lending logicretrieved 2026-05-17
Methodology #
Determine whether the protocol has been exploited ≥2 times via the same root-cause cluster.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol sushi factor RD-F-079 score green collected_at 2026-05-16 19:50:37