en.cryptonomist.ch
A loophole has been discovered in the SushiSwap code which suggests that it might be a scam.
In the last few days some problems had already emerged for this new DeFi protocol, but this time there is clear evidence that it is not working as it should.
In fact, a blockchain engineer has discovered that there is a missing passage in the code of the relevant smart contract, thus allowing the owner to take possession of all the funds.
wjmelements.eth writes on Twitter:
The sushiswap migrator is not set. The owner can always change the migrator. An antagonistic migrator would be able to steal everyone's funds. At ~1B, this would be the biggest heist in crypto. pic.twitter.com/YQIIiTQu9u
— wjmelements.eth (@willmorriss4) August 31, 2020
“The sushiswap migrator is not set. The owner can always change the migrator. An antagonistic migrator would be able to steal everyone’s funds. At ~1B, this would be the biggest heist in crypto”.
The engineer examined the smart contract code and found that in the copy made from Uniswap, the author of SushiSwap failed to set the migrator.
The problem is that the author of the smart contract could modify the migrator by setting one at will.
wjmelements.eth explains that this could allow an attack whereby one could take over all the liquidity of the migration at very low prices. In short, if this happened it would be a real scam.
This opens up an attack where you atomically
1) create the sushiswap pair with the wrong price (or manipulate the existing price)
2) migrate liquidity at the wrong price
3) Acquire all migrated liquidity at crazy-cheap prices. pic.twitter.com/qNj4qHdNvG— wjmelements.eth (@willmorriss4) August 31, 2020
The discussion is still ongoing though, as it could also be a programming error that might still be remedied.
wjmelements.eth recommends avoiding using this protocol until the problem is solved.
The head of SushiSwap, Chef Nomi, responded to the accusations by saying:
This opens up an attack where you atomically
1) create the sushiswap pair with the wrong price (or manipulate the existing price)
2) migrate liquidity at the wrong price
3) Acquire all migrated liquidity at crazy-cheap prices. pic.twitter.com/qNj4qHdNvG— wjmelements.eth (@willmorriss4) August 31, 2020
“Setting migrator is under 48 hours timelock, as you all know. So please stop spreading bad fud info. Thanks”.
This minimization of the problem not only does not seem to be able to reassure users, but further increases suspicion.
However, the price of the SUSHI token hasn’t suffered any major setbacks, so the market seems to be disinterested in this problem.
It debuted on the markets on August 28th at around $3.7, and then rose to over $8.