A SushiSwap vulnerability report published by an anonymous white-hat hacker has been rejected by the developers behind the popular decentralized exchange.
The hacker and his alleged vulnerabilities within SushiSwap’s network first came to light through media reports. In the same, the hacker claimed users could endure losses of funds worth over $1 billion due to these threats.
The hacker also conceded to going public with the information only after attempts to bring this to the attention of SushiSwap’s developers confidentially did not result in any action.
In the report, the hacker claimed to have found a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2.” These contracts govern the exchange’s 2x reward farms and pools on non-Ethereum sidechains such as Binance Smart Chain, Polygon, Fantom, Avalanche, among others.
The emergencyWithdraw function provides a safety net to users using DeFi services, essentially allowing them to immediately withdraw their Liquidity Provider (LP) tokens in the event of an emergency while forfeiting any rewards earned until that point.
According to the hacker, this feature is misleading as it would not work as intended if no rewards are held within the SushiSwap pool.
If the rewards in the pool dry up, they have to be filled manually by the project’s team by using a multi-signature account while often operating from vastly different time zones. The hacker believes this could lead to waiting times of over 10 hours long, before tokens can be withdrawn. The report further elaborated,
“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month. SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10 hours several times a month.”
However, the platform’s developers have now come out with a clarification. The platform’s “Shadowy Super Coder” Mudit Gupta took to Twitter to stress that the threat itself “is not a vulnerability,” adding that “no funds are at risk.”
The dev claimed that contrary to the hacker’s claim, the pool can be topped up by “anyone” in case there is an emergency. This makes the 10-hour-multi-signature process explained by the hacker irrelevant. Gupta further added,
“The hacker’s claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”
In any case, the hacker’s intention seems to have been to “educate current and future SushiSwap users of the risks they are taking by trusting these vulnerable contracts […].” In fact, the white-hat hacker also accused SushiSwap of handling the matter before them too casually.
The “issue” was first brought up through the platform’s bug bounty program, Immunefi. On the same, SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code.
However, the issue was closed on Immunefi without compensation.