invezz.com
Recently, the DeFi sector across the crypto industry has seen a major number of exploits which usually result in millions of dollars in crypto being stolen. This has put the entire DeFi sector on edge, and so when a white-hat hacker reported a $1 billion bug in the software of the decentralized exchange SushiSwap (SUSHI/USD), many took it quite seriously.
Thread on #Sushiswap Vulnerability
— Wilfred Michael (@CryptoWilfred) September 22, 2021
1/ A vulnerability with SushiSwap's emergencyWithdraw function means users cannot stake, harvest or withdraw LP tokens from affected pools when the pool runs out of rewards. https://t.co/s9bHpciENR
However, the developer behind the exchange openly denied the reports. The hacker said that they reported the bug to the exchange, but as it did not react in any way, they decided to draw the attention of the public to it.
Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.
The supposed vulnerability was reported in the emergency withdrawal function in two contracts on SushiSwap — MasterChefV2 and MiniChefV2. These are the contracts in charge of governing the platform’s 2x reward farms, as well as the pools on chains other than Ethereum, including BSC, Avalanche, and Polygon.
What is the problem?
The emergencyWithdraw function is meant to be used in a case of emergency, and it allows liquidity providers to claim their LP tokens immediately, and forfeit rewards in case they have to cash out quickly. However, the hacked claims that the feature will fail if there are no rewards held in the SushiSwap pool.
As a result, liquidity providers have to wait for the pool to be refilled before LP tokens can be withdrawn, and that is a 10-hour process, meaning that it is hardly a feature that can be used in case of an emergency.
However, SushiSwap’s developer said that the claims are wrong, that this is not a flaw, and that no funds are at risk. They said that anyone can top up the pools’ rewarder in the event of an emergency, and that the 10-hour long process can be bypassed.
This is not a vulnerability. No funds at risk. If rewarder runs out of rewards, withdrawing LP will fail but anyone (not just sushi) can top up the rewarder in an emergency.
— Mudit Gupta (@Mudit__Gupta) September 23, 2021
Sushi can also just remove the rewarder.
As for the hacker, they claim that SushiSwap suggested they report the bug on the bug bounty platform Immunefi, where a reward for crucial flaws on SushiSwap is $40,000. However, after the hacker did so, the issue was closed with no compensation.