Dev finds major governance bug in SushiSwap, but no threat to the project yet

Published at: Sept. 7, 2020

SushiSwap appears to be vulnerable from a sneaky bug that could multiply someone’s governance power without having to acquire new tokens.

Reported by developer Jong Seok Park on Sept. 7, the bug can be described as a governance double-spend.

In essence, SushiSwap governance lets tokenholders delegate their voting power to another entity. However, if that token holder then transfers the tokens to someone else, the delegatee still maintains their governance power. The second tokenholder can now delegate tokens once again, multiplying the delegatee’s power by as much as necessary. The bug is that the token transfer does not reset delegation parameters, and this is likely the result of aggregating codebases from different projects.

SushiSwap’s governance contracts are largely a fork of Yam governance, themselves a fork of Compound. Looking at the Github source code of SushiSwap, however, it appears that the token’s smart contract only modified the “mint” function from the standard implementation of ERC-20 contracts by OpenZeppelin. Yam, on the other hand, used a specific implementation of the standard that has a “moveDelegates” function called upon transferring.

In a conversation with Cointelegraph, FTX CEO and now lead for SushiSwap Sam Bankman-Fried confirmed the existence of the bug. He noted that “It doesn’t pose an immediate problem for Sushi” as governance hasn’t yet been activated.

Catching the bug before live release means that the team can now work on solutions to fix it. Bankman-Fried believes that the issue should be fixable without having to migrate the project to new contracts, but the team is “still looking into it.”

It is interesting to note that SushiSwap was hastily reviewed and audited by multiple firms as the project blew up in popularity. While one of the issues involves the same “moveDelegates” function at play here, it appears to be a different type of bug. It wouldn’t be the first time that audits fail to catch some issues, highlighting the need for the entire development community to pitch in to keep DeFi smart contracts secure.

SushiSwap itself is currently reeling from the aftermath of its anonymous founder jumping ship with a “devfund” in SUSHI tokens worth $27 million at some point.

The intended liquidity migration from Uniswap is still set to continue with new migration contracts, but the prior decision from Chef Nomi was canceled.

Tags
Related Posts
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023