A Sushiswap developer has revealed that there is no billion-dollar bug on the decentralized exchange following recent claims.
Is there a billion-dollar bug on the Sushiswap platform?
Mudit Gupta, Sushiswap’s “Shadowy Super Coder,” has come out to squash claims that there is a major bug on the decentralized exchange’s platform. This comes after a white hat hacker claimed that a bug on the Sushiswap platform could be exploited.
A white-hat hacker has claimed that he identified a vulnerability on the decentralized exchange that could place more than $1 billion worth of user funds under threat. The hacker stated that the information was made public after initially reaching out to Sushiswap and seeing that nothing was done about it.
Thread on #Sushiswap Vulnerability
1/ A vulnerability with SushiSwap's emergencyWithdraw function means users cannot stake, harvest or withdraw LP tokens from affected pools when the pool runs out of rewards. https://t.co/s9bHpciENR
— Wilfred Michael (@CryptoWilfred) September 22, 2021
The hacker claims to have identified a flaw within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2. These are the smart contracts that govern the DEX’s 2x reward farms and the liquidity pools on the exchange’s non-Ethereum deployments, like Polygon, Binance Smart Chain and Avalanche.
The hacker said, “SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.”
Sushiswap developer dismisses the claims
“Shadowy Super Coder” Mudit Gupta has come out to dismiss the claims, stating that no such bug exists on the Sushiswap platform.
This is not a vulnerability. No funds at risk. If rewarder runs out of rewards, withdrawing LP will fail but anyone (not just sushi) can top up the rewarder in an emergency.
Sushi can also just remove the rewarder.
— Mudit Gupta (@Mudit__Gupta) September 23, 2021
The developer stressed that the threat described wasn’t a vulnerability, and user funds are currently not at risk.