The DeFi sector has recently become a hotspot for exploits, accounting for nearly 76% of all major hacks worldwide in 2021. So, it did not come as a surprise when a supposedly ‘white-hat hacker’ drew public attention after reporting a billion-dollar bug in SushiSwap’s smart contract.
The hacker alleged that after several failed attempts to reach out to SushiSwap with regards to the bug, they decided to go public with it. However, reports of the supposed vulnerability were soon denied by one of SushiSwap’s developers via a tweet on Thursday.
The ‘white-hat hacker’ claimed they had found a vulnerability in the emergency withdrawal function in two contracts on SushiSwap, MasterChefV2 and MiniChefV2 that could have threatened funds worth $1 billion.
Both the contracts oversee SushiSwap’s 2x reward farms and non-Ethereum pools such as Polygon, Binance Smart Chain, and Avalanche.
The Emergency Withdrawal function enables liquidity providers to claim their tokens immediately while abandoning their rewards in case of an emergency. The hacker claimed that it posed a vulnerability because the system would not work if there are no rewards in the pool.
This might result in liquidity providers waiting for at least 10 hours before the pool is manually refilled. The hacker claimed:
“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.”
Soon after though, one of SushiSwap’s developers rejected the vulnerability via a Tweet stating that if the pool’s rewarder runs out of rewards, anyone, and not just Sushi, can refill the pool’s rewarder.
“The hacker’s claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”
The hacker later reported that SushiSwap suggested they report the bug on bug bounty platform Immunefi. SushiSwap is rewarding $40,000 to users on Immunefi who report critical flaws in its system. However, the hacker claimed that the issue was closed with no compensation.