Hello @EzR3aL,
although the manipulation in a similar fashion as the Cream attack is technically feasible, there is no known way it could be made profitably within the current market conditions. There aren’t enough SUSHI/xSUSHI on the market to manipulate the xSUSHI price enough to perform the attack profitably. It would require some big actors to collude (including the SUSHI team) to actually attack the system. The users have been informed here https://twitter.com/AaveAave/status/1454119658840367114.
This is an unforeseen attack surface involving very complex dynamics. Even with security as top priority as always, covering all the potential attack surfaces (even extremely complex ones like this one) is of course very difficult. Part of the security of the Aave protocol is also how you respond to unforeseen issues, and the community has reacted extremely quickly to this one. The only two assets that could potentially bring issues within the context of this attack surface are DPI (which anyway has been considered secure - it’s only be disabled for borrowing as a precaution, to give more time to review any additional security risk) and xSUSHI. Other assets have completely asynchronous oracles (including Kyber legacy @alkaid ) and cannot be manipulated with this attack.