Quantstamp Identifies 10 Security Flaws In SushiSwap

  • The rivaling one-week-old fork of Uniswap is in danger of losing validity due to issues causing disruptions to reward variables.
  • Moreover, SushiSwap’s developer fund was found to be holding $27 million worth of unlocked SUSHI tokens that could be used to dump against LP tokens.

Illustration from Freepik

On September 2, Quantstamp, a blockchain security company, published a security review of the DeFi protocol SushiSwap (a Uniswap clone), noting on 10 security flaws within its software.

SushiSwap is a rivaling fork of Uniswap that allows clients to stake their coins and get a return of 5.58%. The protocol’s native coin, the SUSHI token, has increased 600% in value over the past few days and was added as a top 70 crypto asset by boasting a trade volume of more than 200% of its quarter-billion market cap in just one day. In less than one week, SushiSwap has collected more than $1.4 billion in locked funds from Uniswap, promising huge returns for liquidity providers.

According to Quantstamp’s review, researchers found errors failing to prevent the same liquidity provider token from being added more than once, allowing for interference with reward variables and allowing malicious third-parties access to the owner’s private key, enabling them to potentially steal funds from the platform.

The identified problems include two medium risks, three low risk, and five informational issues with the code. The researchers said that the issues are not critical enough to take out the fork, but investors have pointed out additional concerns.

Adam Cochran, partner at Cinneamhain Venture, revealed that the protocol’s developer fund is holding around $27 million worth of unlocked SUSHI tokens. In his statement to the public, he said that, despite how badly he wants to believe in the project, having a $27 million developer fund at the center of an anon project is a red flag for users.

After SushiSwap’s anonymous leader, with the pseudonym “Chef Nomi”, reflected on the criticism and said that the digital assets are designated for “devshare”, Cochran released another tweet, announcing his exit from the platform.

“Exiting the last of my $Sushi position. Founder still hasn’t moved on locking funds & is now purposefully calling a ‘security review’ a full audit,” Cochran said. “This pump opportunity puts fully diluted value at nearly $2b mcap. Too much risk here, & not much upside left. I’m out.”

Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM


Worldcoin Launches Gas-Free Crypto Wallet
  • The so called “World App” crypto wallet will make use of the project’s “World ID” system to effectively distinguishes between humans and AI.
  • While everyone will be able to use the new wallet, only verified “World ID” holders will enjoy gas-free transactions within the Worldcoin ecosystem.
Boba Network to Become Sixth Chain to Deploy Uniswap V3
  • After passing its governance vote, the proposal to deploy Uniswap v3 on Boba Network has been scheduled to proceed in the coming weeks.
  • Boba Network claimed the decision will allow Uniswap to expand into the Asian market, and enable developers to build on and off-chain DeFi applications on top of Uniswap.