Researchers identify 10 security flaws with SushiSwap
Blockchain security firm Quantstamp has published a security review of hyped DeFi protocol SushiSwap, identifying ten issues with the platform.
The good news is the issues with the Uniswap fork aren’t likely to be fatal — unlike the critical bug that took out YFI clone YAM after 48 hours. The researchers identified two medium risk, three low risk, and five informational issues with the code.
Among the concerns identified were errors failing to prevent the same liquidity provider token from being added more than once — risking disruptions to reward variables; a vulnerability potentially allowing funds to be stolen from the platform should the owner’s private key become compromised; and an issue that could result in the protocols ‘massUpdatePools’ running out of gas.
While none of the issues found were “critical enough to suggest redeployment of the existing contracts,” Quantstamp urged caution for the platform’s users.
Other researchers have pointed out additional concerns for SushiSwap users, with Cinneamhain Ventures partner Adam Cochran revealing yesterday that the protocol’s developer fund is holding $27 million worth of unlocked SUSHI tokens “that could be dumped or used to dump against LP tokens.”
4/18While I want so badly to believe in the project because a community owned AMM would be great, if you have a $27M dev fund at the center of your anon project that you refuse to lock up and think is not a priority - that's a red flag.
— Adam Cochran (@AdamScochran) September 2, 2020Responding to Cochran’s criticism, SushiSwap’s anonymous head ‘Chef Nomi’ said that the $27 million worth of tokens had been designated for “devshare”:
In theory I can sell all of them, but I don't see anything wrong with it. It's the devshare and it's [been] specified in there since the beginning.
For his part Cochran said the risk reward ratio from SushiSwap was getting unbalanced and he was off to farm elsewhere.
Disclosure: Exiting the last of my $Sushi position. Founder still hasn’t moved on locking funds & is now purposefully calling a ‘security review’ a full audit. This pump opportunity puts fully diluted value at nearly $2b mcap. Too much risk here, & not much upside left. I’m out.
— Adam Cochran (@AdamScochran) September 3, 2020Despite being less than one week old, SushiSwap, has already lured more than $1.4 billion in locked funds from Uniswap with the promise of enormous returns for liquidity providers in a business model some have dubbed a “vampire attack”
The protocol’s native token has gained more than 600% over the past few days and emerged as a top 70 crypto asset by capitalization boasting a 24-hour trade volume equal to more than 200% of its quarter-billion-dollar market cap.
There has been an explosion in food-themed DeFi Uniswap clones purporting to offer extreme rewards to yield farmers, with Kimchi and Hotdogswap quickly making waves in the DeFi markets over recent days.
Despite quickly capturing the imaginations of the yield farming community, Hotdog’s native token plummeted more than 99.9% from $4,000 to $1 over the course of five minutes just hours after the protocol’s launch today.