The developer of the popular decentralized exchange SushiSwap has denied the alleged vulnerability, reported by a white hat hacker examining its smart contracts.
The hacker in question according to the news identified a vulnerability that could jeopardize user funds worth more than $ 1 billion. The hacker said he made the information public after efforts to contact SushiSwap’s developers were futile.
Apparently, a vulnerability was detected in the emergency withdrawal function of the two SushiSwap contracts, MasterChefV2 and MiniChefV2. These contracts manage the exchange’s 2x farms and bounty pools on non-Ethereum versions of SushiSwap, such as Polygon, Binance Smart Chain, and Avalanche.
The emergency withdrawal feature allows liquidity providers to receive LP tokens instantly, in an emergency the reward is lost. The hacker claims that if no rewards are found in the SushiSwap pool, the feature will fail, forcing liquidity providers to wait for the pool to manually complete for about 10 hours before withdrawing their tokens.
“Waiting for all signatories to agree to recharge the reward account can take around 10 hours, and some of these accumulated prizes are emptied several times a month,” Hacker said.
“The non-Ethereum versions of SushiSwap and 2x rewards (all with MiniChefV2 and MasterChefV2 contracts) have a total value of over $ 1 billion. So that amount becomes unusable for 10 hours several times a month. ”
However, the anonymous developer of SushiSwap, in the Twitter post He denied the allegations and claimed that the situation in question was not a weakness and that the funds were not at risk.
The developer stated that in an emergency, anyone can fill the pool with rewards and get around the barrier of the 10-hour multiple sign-in process that the hacker claims is necessary to fill the prize pool.
The hacker said he was instructed to report the vulnerability on the bug tracker bounty platform Immunefi. SushiSwap offers a reward of up to $ 40,000 to users who detect risk vulnerabilities in their codes on this platform, as long as they reach the exchange first.
SushiSwap announced that they were aware of the aforementioned situation and therefore the issue was closed without any payment.