The Intelligent Insurer #35 — Whitehat hacker details vulnerability with SushiSwap emergency withdrawal function
A week after finding itself the subject of a mysterious hack, DeFi protocol SushiSwap finds itself at the center of attention once again. A white hat hacker has released a detailed report outlining potential flaws on the platform which could place over $1 billion of users’ funds at risk.
SushiSwap has denied the hacker’s claim but has nonetheless taken steps to fix the “issue”. In the latest Intelligent Insurer, we detail the white hat hacker’s findings, SushiSwap’s response, and examine the implications of this event for DeFi investors. However, before that, we’ll dive into our weekly development update.
Insured Finance Development Update
We’re excited to have made further progress towards our Alpha release over the past week. Following last week’s deployment of all smart contracts and The Graph on the Mumbai testnet (users can explore The Graph by clicking this link), we continued to work on setting up test accounts:
- We continued work on setting up 25 test accounts with the required tokens for the users we invited.
- We completed testing the smart contract functionality related to token distribution and refined our first user guide draft that will clearly explain functionalities on our platform.
- Our focus for the coming week is to set up an INFI token faucet for test users and refine metrics and the data dashboard.
In addition to the above, we continue to rigorously test and update our platform to ensure users experience a safe marketplace environment. Our vision of creating the world’s premier insurance marketplace for digital assets remains intact and we will continue to keep the community updated.
Hacker identifies SushiSwap vulnerability
On Wednesday, September 22nd, an anonymous white hat hacker published a report detailing flaws within two of SushiSwap’s smart contracts that could place over $1 billion of user funds at risk. According to the report, the flaws center around the emergencyWithdraw function within the MasterChefV2 and MiniChefV2 contracts.
These contracts govern rules surrounding SushiSwap’s 2X reward farms and pools on side chains such as Binance Smart Chain, Polygon, Avalanche, and Factom. The emergency withdraw function is standard in all DeFi protocols. The function allows users to withdraw their liquidity provider tokens in emergencies, forfeiting any further rewards.
The hacker’s report claims that SushiSwap’s emergency withdraw functions don’t work as intended. For starters, users should be paid irrespective of rewards earned. However, SushiSwap’s functions fail if there are no rewards within the platform’s pool. The hacker also raised another flaw.
The tokens that users are paid upon withdrawal by SushiSwap are stored in a separate account. Often, reward pools dry up and have to be manually filled by the platform’s developers via a multiple signature account. Given the different time zones they work in, it can take up to 10 hours for all signature holders to consent to replenish the account.
Effectively, user funds are held hostage during this time. The hacker pointed out that due to this vulnerability, a nefarious actor could theoretically use a large number of LP tokens to dry out the reward pools, and thus render user funds inactive until the signature holders replenish the pools. Users cannot stake, unstake, or react to market events during this period which leaves them powerless.
SushiSwap denies potential exploit
The white hat hacker posted their report on Immunefi, a bug bounty platform on which SushiSwap had promised a maximum reward of $1.25 million. Curiously, SushiSwap refused to acknowledge the issue and closed the report, claiming it wasn’t an issue to begin with.
Mudit Gupta, a self-professed “Shadowy Super-Coder” and SushiSwap developer sought to calm nerves on Twitter. He noted that user funds are not at risk and that the developer team was aware of the issue before the report’s release.
Needless to say, the white hat hacker was less than impressed with this response. They stated that Gupta’s statement effectively means the platform’s developers introduced a bug that could hold user funds hostage for hours and their refusal to fix the issue highlights a careless attitude.
Constant protocol risks for DeFi investors
Gupta’s response, which seeks to calm nerves, misses the irony of a safety function like emergency withdraw posing the greatest risk of all to investors. Given SushiSwap’s history with bug exploits, it’s safe to say the core team’s response to the white hat hacker’s allegations are less than ideal.
Solutions like Insured Finance, that guarantee fund safety even during times of high volatility and risk, fill the security gap that many DeFi protocols leave. Investors who purchase insurance via the marketplace can be fully protected in the event of hacks..
Gupta stated that the next version of SushiSwap’s MasterChef will not have this issue, but did not mention when this will be implemented. He listed the complexity behind migrating production smart contracts as the reason for the delay. He did not provide any clarification about why SushiSwap feels the need to fix a professed non-issue.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Insured Finance users can request customized insurance on a wide variety of digital assets. Those that fulfill requests earn premiums and can earn a competitive return on their capital. Claims are fully collateralized and settled instantly.