A white-hat hacker recently took the DeFi sector by storm after allegedly speaking about high-risk vulnerabilities on SushiSwap. According to the anonymous hacker, the vulnerabilities can risk user funds worth billions of dollars.
SushiSwap developers could not secretly fix the issue, resulting in the information being shared with the public. The hacker stated that the motive of the reveal was educating existing and future SushiSwap users about the risks that come with such vulnerable contracts. Additionally, the white hat hacker pointed out how casually SushiSwap handled the matter being showcased to them.
The hacker allegedly noted two main vulnerabilities within the emergencyWithdraw function in two contracts; MiniChefV2 and MasterChefV2. The contracts monitor SushiSwap’s rewards farms and pools on sidechains like Polygon, Avalanche, the Binance Smart Chain, etc.
An emergency withdrawal feature can be a security net prevalently used in DeFi protocols. It includes SushiSwap’s ETH smart contracts. The function helps users withdraw their LP tokes in an emergency, potentially even forfeiting the earned rewards.
Although both contracts possess the feature, the anonymous hacker claims it is misleading and does not function as intended. The comment by SushiSwap regarding the emergency withdrawal feature says that users should be able to get the funds without worrying about rewards. However, the feature fails if the SushiSwap pool does not have any rewards.
As per the report, the token rewards offered by SushiSwap to liquidity provider token holders are held in another account. At times, the rewards run dry and require manual filling via a multi-signature account, which apparently resides in different time zones.
Thus, it allegedly takes signature holders around 10 hours to refill the rewards account. The report also claims that some rewards get empty several times every month.
During this period, liquidity providers on SushiSwap cannot collect rewards, unstake, stake, or even use the emergency withdrawal function. The lockup means user funds are essentially held hostage during the time, disallowing them to address any price movements in the staked liquidity provider tokens.
The hacker claims SushiSwap’s Discord team often encouraged users to use the emergency withdrawal feature. However, as the call would usually fail due to the vulnerability, token holders should wait until they are refilled.
After discovering the vulnerability, the hacker claimed confidentiality, reaching SushiSwap and reporting the bug. The hacker was redirected to Immuefi (bug bounty platform), where SushiSwap lists its bug bounty program.
With a 1.25 million dollars maximum bounty posted on the platform, hackers disclosing high-risk vulnerabilities can get up to 40,000 dollars. However, SushiSwap closed the issue without offering the bounty amount and not fixing the vulnerability either.
The hacker stated that SushiSwap purposely added a vulnerability to lock up and cost token holders millions of dollars, while also refusing to fix it.