Home News SushiSwap denies reports of billion-dollar bug

SushiSwap denies reports of billion-dollar bug


SushiSwap denies reports of billion-dollar bug. One of the developers behind the famous decentralised exchange SushiSwap has dismissed a rumoured vulnerability. Which discovered while probing into their smart contracts by a white-hat hacker.

According to media sources, the hacker claimed to have discovered a weakness that may jeopardise more than $1B in user cash. And that they went public with the knowledge following unsuccessful attempts to contact SushiSwap’s engineers.

The vulnerability is inside the emergency withdraw function

According to the hacker, there is a “vulnerability inside the emergency Withdraw feature in two of SushiSwap’s contracts”. “MasterChefV2 and MiniChefV2”. SushiSwap’s non-Ethereum deployments, such as Polygon, Binance Smart Chain, and Avalanche, have contracts that manage the exchange’s 2x reward farms and pools.

In the case of an emergency, the Emergency Withdraw feature allows liquidity providers to retrieve their liquidity provider tokens instantly while forfeiting incentives. However, the hacker says that if no incentives are stored in the SushiSwap pool, the feature would fail. This means that before they can withdraw their tokens, liquidity providers must wait for the pool to be manually replenished during a 10-hour period.

Furthermore, the hacker claimed that “it can take up to 10 hours for all signature holders to agree to refilling the rewards account”. And that “some reward pools are empty multiple times a month”.

“It is not a vulnerability” and “no money is at risk”

SushiSwap’s pseudonymous developer has responded to the accusations on Twitter. Emphasising that the danger outlined “is not a vulnerability”. And that “no money is at risk”, according to the platform’s “Shadowy Super Coder” Mudit Gupta.

Mudit Gupta emphasised that “anyone” can top up the pool’s rewarder in the case of an emergency. Circumventing most of the 10-hour multi-sig procedure that the hacker claimed is necessary to replenish the rewards pool.

“The hacker’s assertion that a large amount of LP maybe put in to drain the rewarder quicker is false. If you add more LPs, the reward per LP decreases.”

After reaching out to the exchange, the hacker stated that SushiSwap told them to submit the vulnerability to bug bounty platform Immunefi. Where SushiSwap is giving incentives of up to $40,000 to customers who identify hazardous flaws in its code.

They mentioned that they resolved the issue without compensation on Immunefi, and that SushiSwap was aware of the situation.

Previous articleRipple is helping Bhutan pilot a CBDC
Next articleThe WallStreetBets community has released a collection of NFT