SushiSwap, a Japanese decentralized exchange, has dismissed the claims of a white hat hacker who says two contracts on the exchange have a vulnerability that puts US$1 billion worth of user assets at risk.

Fast facts

  • An anonymous white hat hacker published a report on Thursday claiming there is a loophole in the emergency withdrawal function of two contracts on SushiSwap, MasterChefV2 and MiniChefV2. The MasterChefV2 contracts are used for all 2x reward farms on SushiSwap, while the MiniChefV2 contracts are used for liquidity provider (LP) pools on networks other than Ethereum. This means these contracts are in control of LP tokens that are deposited to stake tokens and earn yields.
  • In case of an emergency, users are allowed to withdraw their funds from the staking pools, especially if SushiSwap comes under attack, the report claims. This is a basic safety net applied to most contracts on all networks to help investors preserve their capital. However, withdrawing in case of an emergency means users stand to lose the yield or token rewards earned up to that point. The declarations by SushiSwap for both contracts also claim the same.
  • However, the report claims the SushiSwap contracts do not abide by the declarations. When a user on SushiSwap uses the emergency withdraw function, if the call to collect rewards fails, they will not be able to withdraw the funds, the report states. This is because the token rewards paid out by SushiSwap are stored in a different account that can run dry multiple times a month. This requires the SushiSwap team to manually fill the account, which requires signatures from multiple members who are located in different time zones. According to the white hat hacker, it can take approximately 10 hours for all signature holders to provide consent to refill the account. And during this 10-hour window, SushiSwap LPs cannot stake, unstake, collect rewards or use the emergency withdraw function. In other words, their funds are stuck on SushiSwap during this period since the emergency withdraw function fails when the call to collect rewards does.
  • SushiSwap developer Mudit Gupta dismissed the claim on Twitter, saying: “This is not a vulnerability. No funds at risk. If rewarder runs out of rewards, withdrawing LP will fail but anyone (not just sushi) can top up the rewarder in an emergency. Sushi can also just remove the rewarder.” A Twitter user noted: “But why does Sushiswap not simply patch this issue so users can withdraw funds funds at anytime? I’d assume locking users out of their LP tokens even for a minute is unhealthy practice?” Another community member said the developers would not concede to the flaw, even if it was true, since it is not in their best interest.
  • The white hat hacker decided to publish the vulnerability report publicly after he was given the cold shoulder by the SushiSwap team when he brought up the issue in private. The report comes after SushiSwap averted a potential US$350 million hack last month after a white hat hacker pointed out a bug in the smart code contract for the BitDAO token sale on SushiSwap’s MISO token sale platform. Cases of hacking have been on the rise this year. In August, Poly Network suffered from the largest DeFi hack in history while on Thursday, Bitcoin Foundation’s website was attacked and displayed a message of a scam that claimed to double user funds.