- Hacker says SushiSwap is vulnerable, this could lead to $1 billion in losses for liquidity providers.
- SushiSwap allegedly knows about the bug and refuses to fix it.
SushiSwap developer dismissed claims by a white-hat hacker claiming to have identified a bug on the decentralized exchange that poses a major security risk to liquidity providers (LPs). According to the hacker, SushiSwap rejected a detailed vulnerability report indicating that over $1 billion in liquidity provided by the exchange users is at risk.
The hacker added that he resolved to publicly publish the report after SushiSwap developers ignored his attempts to reach out about the exploit. By making the information public, the hacker said that it will educate existing and potential SushiSwap users about the risk they’re exposing their funds to by trusting vulnerable contracts. Furthermore, it will reveal to other well-intentioned hackers how SushiSwap casually handled the matter despite being informed about it.
What’s wrong with SushiSwap?
The anonymous hacker said that the emergency withdrawal function, present on SushiSwap contracts, MasterChefV2 and MiniChefV2, is faulty and puts at risk over $1 billion in LP token holders’ capital.
The contracts are in charge of the protocol’s 2X reward liquidity pools (farms) and SushiSwap pools on other blockchains, including BSC, Avalanche, Factom and Polygon. The emergency withdrawal function is designed to enable users to withdrawal their LP tokens in case of an emergency, often excluding the earned rewards. It is a common security feature in many DeFi applications.
However, the hacker explained why the emergency withdrawal on SushiSwap is misleading and does not infact function as the users have been led to believe. SushiSwap says that it allow users to withdraw funds without worrying about the rewards in the pool, but if there are no token rewards in a pool during an emergency, LP token holders cannot withdrawal their funds.
They would then have to wait for authorized SushiSwap developers to fill up the LP pool from a multi-signature account where the rewards are held separately. This process could take up to 10 hours, since some of the developers live in different time zones.
It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month.
During the hypothetical long waiting period which essentially acts as a lock-up period, LP providers are unable to stake, unstake, collect rewards, or use the emergency function. This implies that SushiSwap has a lockup period for LP tokens a few times every month that would make it impossible for token holders to react to price movements using the staked tokens.
SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.
The vulnerability could also be exploited by a malicious actor to be able to repeatedly dry out multiple reward pools by using large LP token amounts and thus hold other users’ funds hostage until the next refill by developers.
After discovering the bug, the white hacker confidentially sorts out SushiSwap to report the bug who in turn told him to log the bug with leading bug bounty platform for blockchain, Immunefi. SushiSwap has a registered a $1.25 million buy bounty with the program that says hackers are eligible for a $40,000 payout for catching spooky bugs on the exchange.
However, the hacker said SushiSwap closed the report without fixing the bug or paying the bounty, saying that they knew about the bug during implementation. The hacker therefore concluded that SushiSwap planned and introduced the vulnerability that could lock up and cost users millions of dollars and then refused to fix it.