The developer of the decentralized exchange SushiSwap has denied the discovery by a “white hacker” of an alleged vulnerability that could cost the protocol $ 1 billion.
White hacker CryptoWilfred tonight published
Several entries on his Twitter account of the vulnerability he discovered in the SushiSwap platform, which could threaten users’ crypto assets worth $ 1 billion. He said he decided to release the information after attempts to contact the SushiSwap developers failed.
The hacker claims to have discovered a vulnerability in the emergencyWithdraw function in two SushiSwap smart contracts, MasterChefV2 and MiniChefV2, which govern the exchange’s double reward farms and pools in SushiSwap deployments on Polygon, Binance Smart Chain, and Avalanche.
The emergencyWithdraw function allows liquidity providers to withdraw their cryptoassets immediately, losing rewards in the event of an emergency. However, the hacker claims that this feature will not work if there are no rewards in the SushiSwap pool. This will result in a long wait for liquidity providers until the pool is manually replenished, which can take about ten hours. Only after that, the withdrawal of cryptoassets within the function will become available.
“It can take all signature holders about ten hours to agree to replenish the reward account, and some reward pools are empty several times a month,” the hacker said. “The SushiSwap deployment without Ethereum and the 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) have over $ 1 billion worth of cryptoassets. This means that all of this money can essentially be locked to users for ten hours several times a month.”
One of the anonymous developers of SushiSwap wrote
on Twitter that the threat “does not constitute a vulnerability” and that users’ money is safe. He explained that any signature holder can add to the emergency reward pool, bypassing most of the ten-hour multi-signature process. According to the developer’s statement:
“The hacker’s claim that someone can add many liquidity providers to get rewards faster is wrong. The more liquidity providers there are, the lower the remuneration for each of them. ”
The hacker said that he spoke about a vulnerability in the Immunefi bug detection platform, where SushiSwap offers to pay a reward of up to $ 40,000 for reporting critical errors in the protocol. However, the application was closed without payment of remuneration – the developers of SushiSwap replied that they were aware of the situation.
Last week, the developers of the SushiSwap decentralized exchange reported that 864 ETH was stolen from the platform for the sale of MISO tokens as a result of a hacker attack. Vulnerabilities have already been identified on the MISO platform. In August, SushiSwap escaped a $ 365 million hack thanks to a white-hat hacker.
I am Derek Black, an author of World Stock Market. I have a degree in creative writing and journalism from the University of Central Florida. I have a passion for writing and informing the public. I strive to be accurate and fair in my reporting, and to provide a voice for those who may not otherwise be heard.