Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
A massive bug cannot be exploited yet as pool migration is set to continue.
SushiSwap appears to be vulnerable from a sneaky bug that could multiply someoneâs governance power without having to acquire new tokens.
Reported by developer Jong Seok Park on Sept. 7, the bug can be described as a governance double-spend.
In essence, SushiSwap governance lets tokenholders delegate their voting power to another entity. However, if that token holder then transfers the tokens to someone else, the delegatee still maintains their governance power. The second tokenholder can now delegate tokens once again, multiplying the delegateeâs power by as much as necessary. The bug is that the token transfer does not reset delegation parameters, and this is likely the result of aggregating codebases from different projects.
SushiSwapâs governance contracts are largely a fork of Yam governance, themselves a fork of Compound. Looking at the Github source code of SushiSwap, however, it appears that the tokenâs smart contract only modified the âmintâ function from the standard implementation of ERC-20 contracts by OpenZeppelin. Yam, on the other hand, used a specific implementation of the standard that has a âmoveDelegatesâ function called upon transferring.
In a conversation with Cointelegraph, FTX CEO and now lead for SushiSwap Sam Bankman-Fried confirmed the existence of the bug. He noted that âIt doesnât pose an immediate problem for Sushiâ as governance hasnât yet been activated.
Catching the bug before live release means that the team can now work on solutions to fix it. Bankman-Fried believes that the issue should be fixable without having to migrate the project to new contracts, but the team is âstill looking into it.â
It is interesting to note that SushiSwap was hastily reviewed and audited by multiple firms as the project blew up in popularity. While one of the issues involves the same âmoveDelegatesâ function at play here, it appears to be a different type of bug. It wouldnât be the first time that audits fail to catch some issues, highlighting the need for the entire development community to pitch in to keep DeFi smart contracts secure.
SushiSwap itself is currently reeling from the aftermath of its anonymous founder jumping ship with a âdevfundâ in SUSHI tokens worth $27 million at some point.
The intended liquidity migration from Uniswap is still set to continue with new migration contracts, but the prior decision from Chef Nomi was canceled.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.