One of the exchange’s developers has dismissed claims made by a self-described white-hat hacker regarding a major security risk to SushiSwap liquidity providers.
A alleged vulnerability revealed by a white-hat hacker probing through SushiSwap’s smart contracts has been dismissed by the developer behind the popular decentralized exchange.
According to media reports, the hacker claimed to have discovered a vulnerability that could jeopardize more than $1 billion in user funds, and that they went public with the information after unsuccessful attempts to contact SushiSwap’s developers.
The hacker claims to have discovered a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and pools on non-Ethereum SushiSwap deployments like Polygon, Binance Smart Chain, and Avalanche.
While the emergencyWithdraw function allows liquidity providers to claim their LP tokens immediately while forfeiting rewards in the event of an emergency.
The hacker claims that if no rewards are held within the SushiSwap pool, the feature will fail, forcing liquidity providers to wait for the pool to be manually refilled over a 10-hour process before they can withdraw their tokens.
Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:
“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.”
In response to the assertions, SushiSwap’s pseudonymous creator, “Shadowy Super Coder Mudit Gupta,” took to Twitter to clarify that the threat mentioned is “not a vulnerability” and that there are “no funds at risk.”
Gupta clarified that, in the event of an emergency, “anyone” can top up the pool’s rewarder, avoiding most of the 10-hour multi-sig process that the hacker claimed was required to replenish the rewards pool. They went on to say:
“The hacker’s claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”
After initially contacting SushiSwap, the hacker claimed that they were instructed to report the vulnerability to bug bounty platform Immunefi — where SushiSwap is offering rewards of up to $40,000 to users who report potentially dangerous vulnerabilities in their code — after they first contacted the exchange — and that they did so.
In their report, they observed that the issue had been resolved on Immunefi without compensation, and SushiSwap confirmed that they were aware of the situation.
