SushiSwap (SUSHI) claims that the reports of a $1b bug are false

Recently, the DeFi sector across the crypto industry has seen a major number of exploits which usually result in millions of dollars in crypto being stolen. This has put the entire DeFi sector on edge, and so when a white-hat hacker reported a $1 billion bug in the software of the decentralized exchange SushiSwap (SUSHI/USD), many took it quite seriously.

However, the developer behind the exchange openly denied the reports. The hacker said that they reported the bug to the exchange, but as it did not react in any way, they decided to draw the attention of the public to it.

The supposed vulnerability was reported in the emergency withdrawal function in two contracts on SushiSwap — MasterChefV2 and MiniChefV2. These are the contracts in charge of governing the platform’s 2x reward farms, as well as the pools on chains other than Ethereum, including BSC, Avalanche, and Polygon.

What is the problem?

The emergencyWithdraw function is meant to be used in a case of emergency, and it allows liquidity providers to claim their LP tokens immediately, and forfeit rewards in case they have to cash out quickly. However, the hacked claims that the feature will fail if there are no rewards held in the SushiSwap pool.

As a result, liquidity providers have to wait for the pool to be refilled before LP tokens can be withdrawn, and that is a 10-hour process, meaning that it is hardly a feature that can be used in case of an emergency.

However, SushiSwap’s developer said that the claims are wrong, that this is not a flaw, and that no funds are at risk. They said that anyone can top up the pools’ rewarder in the event of an emergency, and that the 10-hour long process can be bypassed.

As for the hacker, they claim that SushiSwap suggested they report the bug on the bug bounty platform Immunefi, where a reward for crucial flaws on SushiSwap is $40,000. However, after the hacker did so, the issue was closed with no compensation.