Illustration from Freepik

On September 2, Quantstamp, a blockchain security company, published a security review of the DeFi protocol SushiSwap (a Uniswap clone), noting on 10 security flaws within its software.

SushiSwap is a rivaling fork of Uniswap that allows clients to stake their coins and get a return of 5.58%. The protocol’s native coin, the SUSHI token, has increased 600% in value over the past few days and was added as a top 70 crypto asset by boasting a trade volume of more than 200% of its quarter-billion market cap in just one day. In less than one week, SushiSwap has collected more than $1.4 billion in locked funds from Uniswap, promising huge returns for liquidity providers.

According to Quantstamp’s review, researchers found errors failing to prevent the same liquidity provider token from being added more than once, allowing for interference with reward variables and allowing malicious third-parties access to the owner’s private key, enabling them to potentially steal funds from the platform.


The identified problems include two medium risks, three low risk, and five informational issues with the code. The researchers said that the issues are not critical enough to take out the fork, but investors have pointed out additional concerns.

Adam Cochran, partner at Cinneamhain Venture, revealed that the protocol’s developer fund is holding around $27 million worth of unlocked SUSHI tokens. In his statement to the public, he said that, despite how badly he wants to believe in the project, having a $27 million developer fund at the center of an anon project is a red flag for users.

After SushiSwap’s anonymous leader, with the pseudonym “Chef Nomi”, reflected on the criticism and said that the digital assets are designated for “devshare”, Cochran released another tweet, announcing his exit from the platform.

“Exiting the last of my $Sushi position. Founder still hasn’t moved on locking funds & is now purposefully calling a ‘security review’ a full audit,” Cochran said. “This pump opportunity puts fully diluted value at nearly $2b mcap. Too much risk here, & not much upside left. I’m out.”