Known-exploit function-selector replay

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-095 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The RouteProcessor2 exploit used processRoute() selector with malicious callback data. The deprecated RouteProcessor2 contract (0x044b75f554b886A065b9567891e45c79542d7357) remains on-chain and is not self-destructed. Stale user approvals to this contract could still be drained via selector-replay if any user has not revoked. Sushi's post-mortem directed users to revoke via revoke.cash but revocation was not mandatory before claim portal access in all cases. The current production router (v3/v4 generation) has the bug patched. No active replay attack observed today, but the structural surface (deprecated contract + residual approvals) constitutes a yellow posture for this signal.

Sources #

URL
RouteProcessor2 Post Mortem — SushiRouteProcessor2 post-mortem — revocation requirement and stale approval surfaceretrieved 2026-05-17
Etherscan
RouteProcessor2 (exploited, deprecated) — EtherscanRouteProcessor2 deprecated contract — 0x044b75f554b886A065b9567891e45c79542d7357retrieved 2026-05-17

Methodology #

Detect whether a call-pattern matches a known-exploit replay template (specific selector sequence and calldata shape) against this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-095 score yellow collected_at 2026-05-16 19:50:37