{"id":343116,"date":"2021-09-23T10:54:47","date_gmt":"2021-09-23T07:54:47","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/sushiswap-denies-reports-of-billion-dollar-bug\/"},"modified":"2021-09-23T10:54:47","modified_gmt":"2021-09-23T07:54:47","slug":"sushiswap-denies-reports-of-billion-dollar-bug","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/sushiswap-denies-reports-of-billion-dollar-bug\/","title":{"rendered":"# SushiSwap denies reports of billion dollar bug"},"content":{"rendered":"

# SushiSwap denies reports of billion dollar bug <\/strong>”
\n<\/p>\n

The developer behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.<\/p>\n

According to media<\/a> reports, the hacker claimed<\/a> to have identified a vulnerability that could place more than $1 billion worth of user funds under threats, stating they went public with the information after attempts to reach out to SushiSwap\u2019s developers resulted in inaction.<\/p>\n

The hacker claims to have identified a \u201cvulnerability within the emergencyWithdraw function in two of SushiSwap\u2019s contracts, MasterChefV2 and MiniChefV2\u201d \u2014 contracts that govern the exchange\u2019s 2x reward farms and the pools on SushiSwap\u2019s non-Ethereum deployments such as Polygon, Binance Smart Chain and Avalanche.<\/p>\n

While the emergencyWithdraw function allows liquidity providers to immediately claim their LP tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool \u2014 forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.<\/p>\n

\u201cIt can take app<\/a>roximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,\u201d the hacker claimed, adding:<\/p>\n

\u201cSushiSwap\u2019s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.\u201d\u00a0<\/p><\/blockquote>\n

However, SushiSwap\u2019s pseudonymous developer has taken to Twitter to reject the claims, with the platform’s “Shadowy Super Coder Mudit Gupta stressing that the threat described \u201cis not a vulnerability\u201d and that \u201cno funds are at risk.\u201d<\/p>\n

Gupta clarified<\/a> that \u201canyone\u201d can top up the pool\u2019s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:<\/p>\n

\u201cThe hacker’s claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.\u201d<\/p><\/blockquote>\n

Related: <\/em><\/strong>SushiSwap\u2019s token launchpad, MISO, hacked for $3M<\/em><\/strong><\/p>\n

The hacker said they had bee instructed to report the vulnerability on bug bounty platform Immunefi \u2014 where SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code \u2014 after they first reached out to the exchange. <\/p>\n

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating they were aware of the matter described.<\/p>\n