SushiSwap denies reports of billion-dollar bug

Published at: Sept. 23, 2021

One of the developers behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $1 billion worth of user funds under threat, stating they went public with the information after attempts to reach out to SushiSwap’s developers resulted in inaction.

The hacker claims to have identified a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and the pools on SushiSwap’s non-Ethereum deployments, such as Polygon, Binance Smart Chain and Avalanche.

While the Emergency Withdraw function allows liquidity providers to immediately claim their liquidity provider tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.

“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,” the hacker claimed, adding:

“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.” 

However, SushiSwap’s pseudonymous developer has taken to Twitter to reject the claims, with the platform’s “Shadowy Super Coder” Mudit Gupta stressing that the threat described “is not a vulnerability” and that “no funds are at risk.”

Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:

“The hacker’s claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”

Related: SushiSwap’s token launchpad, MISO, hacked for $3M

The hacker said they had been instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $40,000 to users who report risky vulnerabilities in its code — after they first reached out to the exchange.

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating it was aware of the matter described.

Tags
Cryptocurrency Exchange
Defi
Hacks
Sushiswap
Related Posts
All you can eat: SushiSwap deploys contracts on five new networks
Major DeFi protocols are moving to cultivate a multi-chain decentralized finance ecosystem, with SushiSwap deploying its contracts on five networks, and Balancer announcing ports onto Moonbeam and Polkadot. On March 3, SushiSwap CTO, Joseph Delong, announced the DEX had deployed contracts on xDai, Moonbeam Network, Binance Smart Chain, Polygon (previously called Matic), and Fantom. Delong noted Sushi is planning additional future deployments, including on Optimism. A Solana port is also under consideration. While the CTO stated users can expect “relatively complete” experiences on Fantom and Binance as both networks currently “have good support for token lists,” the three other networks …
Technology / March 4, 2021
Here are 6 DEX tokens that have seen exponential growth in 2021
DeFi has steadily grown in prominence over the past year thanks in large part to the strong foundations established by decentralized exchanges (DEX) that enable easy access to the latest tokens and projects. While there have been previous iterations of DEX user interfaces, such as IDEX or Etherdelta, it wasn’t until Uniswap launched that trading in the DeFi network really took off and facilitated the launch of the finance tokens. Here are six of the top-performing tokens in the decentralized finance sector. UNI/USDT Uniswap has risen from the humble beginnings of a simple user interface that allowed for a token …
Markets / Feb. 27, 2021
Exchange tokens benefit as centralized exchanges battle with DeFi platforms
Fresh institutional and retail investor inflows into the cryptocurrency market have led to bull market conditions for many top tokens from blue-chips like Bitcoin (BTC) and Ether (ETH) to more recently established DeFi projects like AAVE and Synthetix (SNX). Exchange tokens are another easily overlooked sub-sector of the market but they have been performing exceptionally well in 2021 as increases in trading volumes results in a larger pool of fees to collect when the exchange’s native token is used for settlement. Native exchange tokens are also typically used as the base pair for funding new listings and token buybacks. Here …
Markets / Feb. 21, 2021
The aftermath of Axie Infinity’s $650M Ronin Bridge hack
In late March, Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million. The breach on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game: There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP — Ronin (@Ronin_Network) March 29, 2022 The official report from the company noted that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator …
Blockchain / April 12, 2022
$160 million stolen from crypto market maker Wintermute
Wintermute, a cryptocurrency market maker based in the United Kingdom, became the latest victim of decentralized finance (DeFi) hacks for approximately $160 million, according to Evgeny Gaevoy, the company’s founder and CEO. Short communication on the ongoing Wintermute hack — wishful cynic (@EvgenyGaevoy) September 20, 2022 According to Etherscan, over 70 different tokens have been transferred to “Wintermute exploiter,” including $61,350,986 in USD Coin (USDC), 671 Wrapped Bitcoin (wBTC), which is roughly $13,030,061, and $29,461,533 Tether (USDT). The largest token sum appears to be USDC. The company’s over-the-counter and centralized finance operations were not affected, as the hacker(s) drained funds …
Cryptocurrency Exchange / Sept. 20, 2022