One of the developers behind the popular decentralized exchange SushiSwap has denied an alleged security issue reports from a white hat hacker who Spy on your smart contracts.
According to media reports, The hacker confirmedÂ identified a vulnerability that could put more than $ 1 billion in user funds at risk, claims to have released the information after attempts to contact the SushiSwap developers resulted in inaction.
The hacker claims to have identified a “vulnerability in the EmergencyWithdraw function” in two contracts with SushiSwap, MasterChefV2 and MiniChefV2. Contracts that regulate the 2x bounty farming of the exchange and groups for non-Ethereum implementations of SushiSwap, such as Polygon, Binance Smart Chain and Avalanche.
While the emergency withdrawal feature allows liquidity providers to Claim your liquidity provider tokens instantly while losing rewards in an emergency, The hacker claims that Ithe function fails if the rewards are not managed within the SushiSwap group, lor that forces liquidity providers to wait for the group. manually refilled during a process of around 10 hours before they can withdraw their tokens.
“It can take about 10 hours for all signature holders to approve the rewards account topping up, and some rewards pools are empty several times a month.” claimed the hacker, adding:
“Non-Ethereum implementations and SushiSwap 2x bounties (all with the vulnerable MiniChefV2 and MasterChefV2 contracts) have a total value of over $ 1 billion. This means that this value is essentially sacrosanct for 10 hours multiple times in the Month”.
The pseudonymous developer of SushiSwap has gone to Twitter to deny the claims and the platform’s “Shadowy Super Coder”, Mudit Gupta emphasizes that the threat described is “not a weak point” and “no funds are at risk”.
GuptaÂ clarifiedÂ That “anyone” can top up the group rewards in an emergency, avoiding much of the 10-hour multi-sig process that the hacker claimed You need to replenish the reward pool.They added:
“The hacker’s claim that someone can use a large amount of LP to deplete the fastest bounty is wrong. The LP reward drops as you add more LP.”
The hacker said he was instructed to report the vulnerability on the bug bounty platform Immunofi, where SushiSwap offers to pay rewards of up to USD 40,000 to users who report risk vulnerabilities in their code. after first contacting the exchange.
They found the issue at Immunefi closed without compensation and SushiSwap said they were aware of the described matter.