Home
News
- One of the exchange’s developers has dismissed claims made by a self-described white-hat hacker regarding a serious security risk to SushiSwap liquidity providers
- While the emergencyWithdraw function allows liquidity providers to claim their LP tokens immediately while forfeiting rewards in the event of an emergency, the hacker claims that if no rewards are held within the SushiSwap pool
- However, SushiSwap’s pseudonymous developer has moved to Twitter to refute the accusations, emphasizing that the danger outlined is not a weakness and that no money is at risk, according to the platform’s Shadowy Super Coder Mudit Gupta
One of the exchange’s developers has dismissed claims made by a self-described white-hat hacker regarding a serious security risk to SushiSwap liquidity providers. A supposed vulnerability discovered by a white-hat hacker spying into SushiSwap’s smart contracts has been denied by the developer behind the popular decentralized exchange. According to media sources, the hacker claimed to have discovered a weakness that may jeopardize more than $1 billion in user cash, and that they went public with the knowledge following unsuccessful attempts to contact SushiSwap’s engineers. The hacker claims to have discovered a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and pools on non-Ethereum SushiSwap deployments like Polygon, Binance Smart Chain, and Avalanche.
While the emergencyWithdraw function allows liquidity providers to claim their LP tokens immediately while forfeiting rewards in the event of an emergency, the hacker claims that if no rewards are held within the SushiSwap pool, the feature will fail, forcing liquidity providers to wait for the pool to be manually refilled over a 10-hour process before they can withdraw their tokens. It can take up to 10 hours for all signature holders to agree to the rewards account being refilled, and some reward pools are empty numerous times a month, the hacker said, adding, the total value of SushiSwap’s non-Ethereum deployments and 2x incentives (all of which use the vulnerable MiniChefV2 and MasterChefV2 contracts) is over $1 billion. This means that for 10-hours many times a month, this number is practically untouchable.
However, SushiSwap’s pseudonymous developer has moved to Twitter to refute the accusations, emphasizing that the danger outlined is not a weakness and that no money is at risk, according to the platform’s Shadowy Super Coder Mudit Gupta. In the case of an emergency, Gupta explained that anyone can top up the pool’s rewarder, avoiding most of the 10-hour multi-sig procedure that the hacker claimed is required to replenish the rewards pool. They also stated, the hacker’s assertion that a large amount of lp may be put in to drain the rewarder quicker is false. If one adds more LPs, the reward per LP decreases. After first contacting the exchange, the hacker claimed they were told to submit the vulnerability to bug bounty platform Immunefi, where SushiSwap is giving incentives of up to $40,000 to customers who identify hazardous flaws in its code. They mentioned that the issue was resolved without compensation on Immunefi and that SushiSwap was aware of the situation.
Andrew is a blockchain developer who developed his interest in cryptocurrencies while pursuing his post-graduation major in blockchain development. He is a keen observer of details and shares his passion for writing, along with coding. His backend knowledge about blockchain helps him give a unique perspective to his writing skills, and a reliable craft at explaining the concepts such as blockchain programming, languages and token minting. He also frequently shares technical details and performance indicators of ICOs and IDOs.
