According to blockchain security firm SlowMist, SushiSwap was exposed to an attack once again, and the commission fees of DIGG-WBTC trading pair was stolen by hacker through special means.
Similar to the first security incident occurred previously, both of two attacks allow hackers to make a profit by manipulating the exchange price of the trading pair, while their process is different. During the first attack, the hacker created a new trading pair by using the LP token itself and other tokens. The new trading pair is profitable by manipulating the initial liquidity. The latest attack was launched by the hacker through creating the trading pair DIGG/WETH which actually does not exist. Then, the hacker manipulate the price of this newly-created, "fake" trading pair, resulting in huge slippage during the process of exchanging commission fees. As a consequence, the hacker is able to make a big fat profit by spending a small amount of DIGG and WETH to provide initial liquidity.
According to previous news, in November 2020, SushiSwap (SUSHI) community governor 0xMaki said that someone made a profit of $10,000 to $15,000 through the vulnerability of SushiSwap, adding that users' funds were safe.