1. Home
  2. Vulnerability

Vulnerability

SushiSwap denies reports of billion dollar bug

Coin Telegraph
SushiSwap denies reports of billion dollar bug
Coin Telegraph

Claims by a self professed white-hat hacker about a major security risk to SushiSwap liquidity providers have been rejected by one of the exchange’s devs.

The developer behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $1 billion worth of user funds under threats, stating they went public with the information after attempts to reach out to SushiSwap’s developers resulted in inaction.

The hacker claims to have identified a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and the pools on SushiSwap’s non-Ethereum deployments such as Polygon, Binance Smart Chain and Avalanche.

While the emergencyWithdraw function allows liquidity providers to immediately claim their LP tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.

“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,” the hacker claimed, adding:

“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.” 

However, SushiSwap’s pseudonymous developer has taken to Twitter to reject the claims, with the platform's "Shadowy Super Coder Mudit Gupta stressing that the threat described “is not a vulnerability” and that “no funds are at risk.”

Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:

“The hacker's claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”

Related: SushiSwap’s token launchpad, MISO, hacked for $3M

The hacker said they had bee instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code — after they first reached out to the exchange.

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating they were aware of the matter described.

Read more
Gary Gensler is leaving the SEC, but replacement will face scrutiny

Gary Gensler is leaving the SEC, but replacement will face scrutiny

Custodial Lightning Network Service Attack Discovered by LN ‘Newbie’ — Hacker Strikes 6 LN Custodians

Bitcoin.com
Custodial Lightning Network Service Attack Discovered by LN ‘Newbie’ — Hacker Strikes 6 LN Custodians
$112M TVL
Custodial Lightning Network Service Attack Discovered by LN ‘Newbie’ — Hacker Strikes 6 LN CustodiansOn September 18, a Redditor posted to the r/bitcoin forum and explained how he discovered a way to “attack [the] lightning Network’s custodial services.” The Reddit account dubbed “Reckless Satoshi” wanted to figure out if a “discrepancy between real routing fees and service’s transaction fee can be exploited for a profit.” The researcher disclosed that […]
Read more
Gary Gensler is leaving the SEC, but replacement will face scrutiny

Gary Gensler is leaving the SEC, but replacement will face scrutiny

White hat potentially saves SushiSwap $350M by finding ‘obvious’ exploit

Coin Telegraph
White hat potentially saves SushiSwap 0M by finding ‘obvious’ exploit
BitDAO

The security researcher found a flaw in a dutch auction smart contract that could have resulted in the loss of 109,000 ETH.

The SushiSwap decentralized exchange has narrowly avoided becoming the latest DeFi hack victim thanks to assistance from a white hat hacker.

A security researcher from venture capital firm Paradigm known on Twitter as “samczsun” has managed to save SushiSwap and its MISO platform from a potential loss of as much as 109,000 ETH.

In a blog post published on Aug. 17, the programmer described how he began examining the smart contract code for the BitDAO token sale at SushiSwap’s token launchpad platform, MISO.

On closer inspection, he found a flaw in the MISO Dutch auction contract whereby some of the functions lacked access controls.

“I didn’t really expect this to be a vulnerability though, since I didn’t expect the Sushi team to make such an obvious misstep.”

Upon deeper investigation, the white hat discovered a vulnerability that, if exploited, could result in all of the crypto assets in the token auction contract being drained by a malicious actor. An attacker could reuse the same ETH over and over to batch multiple calls to the contract and “bid in the auction for free.”

Samczsun tested the vulnerability with a successful exploit before contacting colleagues Georgios Konstantopoulos and Dan Robinson to take a look and double-check the findings. He also discovered that a hacker could steal the funds from the contract by triggering a refund by sending a higher amount of ETH than the auction hard cap.

“Suddenly, my little vulnerability just got a lot bigger. I wasn’t dealing with a bug that would let you outbid other participants. I was looking at a 350 million dollar bug.”

Related: Poly Network hack exposes DeFi flaws, but community comes to the rescue

It was then time to reach out to SushiSwap CTO Joseph Delong to formulate a rescue plan before the exploit was discovered in the wild. It was decided that the BitDAO team holding the token sale would manually end the auction by purchasing the remaining allocation and immediately finalizing the process and rescuing the funds.

SushiSwap noted that no funds were lost in the salvage effort, adding that it will pause the use of its MISO Dutch auction format until the smart contract can be updated. Crypto community member “DC Investor” commented:

“Everyone knows Paradigm has big UNI / Uniswap bags, but Sam from their team just helped save SushiSwap (an ostensible competitor) from a critical bug. This is the ethos of the space among the best actors.”

The BitDAO token sale went off without a hitch raising more than 112,000 ETH, valued at roughly $336 million, from over 9,200 participants according to a tweet from the protocol on Aug. 17.

Read more
Gary Gensler is leaving the SEC, but replacement will face scrutiny

Gary Gensler is leaving the SEC, but replacement will face scrutiny

Polygon-Based Defi Stablecoin Safedollar Plunges to Zero — Team Is Investigating Exploit

Bitcoin.com
Polygon-Based Defi Stablecoin Safedollar Plunges to Zero — Team Is Investigating Exploit
bitcoin.com
Polygon-Based Defi Stablecoin Safedollar Plunges to Zero — Team Is Investigating ExploitThe algorithmic decentralized finance (defi) stablecoin safedollar (SDO) has been attacked, according to statements published on its Telegram channel. The safedollar token did not remain stable following the attack, as the defi stablecoin’s price collapsed to zero. Safedollar Stablecoin Price Collapses A Polygon (MATIC) blockchain-based stablecoin called safedollar (SDO) has lost all of its value, […]
Read more
Gary Gensler is leaving the SEC, but replacement will face scrutiny

Gary Gensler is leaving the SEC, but replacement will face scrutiny

WordPress Theme by cactus.com
Close

Share this video