Security vulnerabilities are commonplace and it is crucial to get those vulnerabilities patched as soon as possible. However, before fixing, one has to acknowledge that their system has a security vulnerability. However, a recent example, SushiSwap shows that sometimes platforms don’t consider the threat seriously.
Popular decentralized SushiSwap has rejected that its system has a purported vulnerability. However, according to media reports, a white-hat hacker claimed to have found this vulnerability. Moreover, he said that this could potentially place more than billion-dollar funds under threat.
Detailing on the vulnerability, the hacker said that “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2”. These are contracts governing the exchange’s 2x reward farms. Also, it governs the pools on the non-Ethereum deployments, such as Polygon, Binance Smart Chain, and Avalanche.
Sushiswap has an Emergency Withdraw function allowing liquidity provides to claim their tokens while forfeiting rewards under emergency. However, the hacker claims that this feature will fail if no rewards are present within the Sushiswap pool.
Moreover, this forces liquidity providers to wait for the pool to fill in about 10-hours before withdrawing the tokens manually. In his words:
“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month.”
However, SushiSwap’s pseudonymous developer tweeted, rejecting the claims.
Moreover, the platform’s “Shadowy Super Coder” Mudit Gupta stressed that the threat “is not a vulnerability” and that “no funds are at risk”. In his words:
“This is not a vulnerability. No funds at risk. If rewarder runs out of rewards, withdrawing LP will fail but anyone (not just sushi) can top up the rewarder in an emergency.“