{"id":10781,"date":"2021-09-23T12:45:09","date_gmt":"2021-09-23T11:45:09","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=10781"},"modified":"2021-09-23T12:45:17","modified_gmt":"2021-09-23T11:45:17","slug":"sushiswap-refutes-reports-of-a-1-billion-glitch","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/sushiswap-refutes-reports-of-a-1-billion-glitch\/","title":{"rendered":"SushiSwap refutes reports of a $1 billion glitch"},"content":{"rendered":"\n
One of the exchange's developers has dismissed claims made by a self-described white-hat hacker regarding a major security risk to SushiSwap <\/a>liquidity providers.<\/h5>\n\n\n\n
\"SushiSwap<\/figure>\n\n\n\n

A alleged vulnerability revealed by a white-hat hacker probing through SushiSwap's smart contracts\r\n \r\n \r\n \r\n <\/g>\r\n \r\n \r\n \r\n <\/clipPath>\r\n <\/defs><\/svg><\/span><\/a> has been dismissed by the developer behind the popular decentralized exchange.<\/p>\n\n\n\n

According to media <\/a>reports, the hacker claimed to have discovered a vulnerability that could jeopardize more than $1 billion in user funds, and that they went public with the information after unsuccessful attempts to contact SushiSwap's developers.<\/p>\n\n\n\n

The hacker claims to have discovered a “vulnerability within the emergencyWithdraw function in two of SushiSwap's contracts, MasterChefV2 and MiniChefV2” \u2014 contracts that govern the exchange's 2x reward farms and pools on non-Ethereum SushiSwap deployments like Polygon<\/a>, Binance <\/a>Smart Chain, and Avalanche<\/a>.<\/p>\n\n\n\n

While the emergencyWithdraw function allows liquidity providers to claim their LP tokens immediately while forfeiting rewards in the event of an emergency. <\/p>\n\n\n\n

The hacker claims that if no rewards are held within the SushiSwap pool, the feature will fail, forcing liquidity providers to wait for the pool to be manually refilled over a 10-hour process before they can withdraw their tokens.<\/p>\n\n\n\n

Gupta clarified that \u201canyone\u201d can top up the pool\u2019s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:<\/p>\n\n\n\n

\u201cSushiSwap\u2019s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.\u201d <\/p><\/blockquote>\n\n\n\n

In response to the assertions, SushiSwap's <\/a>pseudonymous creator, “Shadowy Super Coder Mudit Gupta,” took to Twitter to clarify that the threat mentioned is “not a vulnerability” and that there are “no funds at risk.”<\/p>\n\n\n\n

Gupta clarified that, in the event of an emergency, “anyone” can top up the pool's rewarder, avoiding most of the 10-hour multi-sig process that the hacker claimed was required to replenish the rewards pool. They went on to say:<\/p>\n\n\n\n

\u201cThe hacker's claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.\u201d<\/p><\/blockquote>\n\n\n\n

After initially contacting SushiSwap, the hacker claimed that they were instructed to report the vulnerability to bug bounty platform Immunefi \u2014 where SushiSwap is offering rewards of up to $40,000 to users who report potentially dangerous vulnerabilities in their code \u2014 after they first contacted the exchange \u2014 and that they did so.<\/p>\n\n\n\n

In their report, they observed that the issue had been resolved on Immunefi without compensation, and SushiSwap <\/a>confirmed that they were aware of the situation.<\/p>\n","protected":false},"excerpt":{"rendered":"

One of the exchange’s developers has dismissed claims made by a self-described white-hat hacker regarding a major security risk to SushiSwap liquidity providers. A alleged vulnerability revealed by a white-hat hacker probing through SushiSwap’s smart contracts has been dismissed by the developer behind the popular decentralized exchange. According to media reports, the hacker claimed to […]<\/p>\n","protected":false},"author":13,"featured_media":10788,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[21],"tags":[2309,853],"class_list":["post-10781","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-avalanche","tag-sushiswap"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2021\/09\/image-236.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/10781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=10781"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/10781\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/10788"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=10781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=10781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=10781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}