Science

Critical vulnerability in Sushiswap? The developers strike back

Sushiswap teams take offense: Launched just over a year ago, the Sushiswap exchange platform has become a staple in the DeFi sphere. Initially developed on Ethereum (ETH), it is now accessible on many other blockchains, such as Polygon, Binance Smart Chain (BSC), or Avalanche.

A vulnerability present in Sushiswap?

On September 23, the Coinfomania media was in the spotlight after publishing an article about a possible loophole in Sushiswap.

According to the reported information, a white hat hacker has discovered a vulnerability that would endanger “at least one billion dollars in user funds.”

Coinfomania Publication – Source: Twitter

According to the report provided by the hacker, it would be the EmergencyWithdraw function, present in the MasterChefV2 and MiniChefV2 contracts, which would be incriminated. This feature allows liquidity providers to withdraw their tokens in the event of an urgent event, potentially losing the rewards earned up to that point.

However, according to the hacker, this feature does not work as it should. In fact, the withdrawal may fail if there is no reward present in the Sushiswap funds.

As a result, users could potentially have their funds locked, if the reward pools are empty. A situation that has already occurred, knowing that it is the developers who reload the rewards funds manually through a multiple signature address.

“It can take around 10 hours for all signature holders to agree to fill out the rewards account, and some rewards funds are empty multiple times a month. “

Hacker statement

>> One airdrop and a 10% reduction! Come quickly claim your bonuses at Ascendex! <

A false problem for Sushiswap

After discovering this vulnerability, the hacker tried to contact the project teams to alert them and, why not, recover a few tens of thousands of dollars in rewards for finding the flaw.

However, after posting the issue on Immunefi’s bug bounty platform, where Sushiswap is offering a reward of up to $ 40,000 for revealing a critical flaw, the hacker removed his post without any reward. It was then that he decided to go public with the matter, in order to “make current and future users of Sushiswap aware of the risks they run by relying on these vulnerable contracts.”

Finally, the Sushiswap teams reacted to this case after the publication of Coinfomania. Sushiswap CTO Joseph Delong was not a dead hand in his responses on Twitter:

“We want a retraction. This article did not do the least bit of research or source verification. Nice title, but it’s sheer nonsense. “

Jospeh Delong's Twitter comments announcing that he wants a retraction due to the unsupported vulnerability in SushiswapJospeh Delong’s Comments – Source: Twitter

Meanwhile, developer Mudit Gupta reacted in a more structured way by explaining why it was not a vulnerability:

“This is not a vulnerability. There are no funds in jeopardy. If the rewards run out of rewards, the LP withdrawal fails, but anyone (not just Sushi) can reload the rewards in an emergency. “

He later specified that this mechanism would be modified in the next version of MasterChef contracts, but that it takes time to conduct audits and migrate production contracts.

The reaction of the Sushiswap teams is somewhat violent to an Internet user who was simply trying to bring out a curious mechanism. An even more surprising reaction given that Sushiswap has had two vulnerabilities on its Miso platform in recent months, one of which resulted in the loss of $ 3.1 million.

If you are reading this, it may not be too late to take advantage of an exceptional offer reserved by Ascendex for the first 400 users who will sign up on this renowned exchange platform. In addition to benefiting from a 10% reduction in your trading fees, you will be offered an additional $ 5 airdrop (affiliate link, subject to negotiation of at least $ 100, see conditions on site).

Back to top button