Uniswap clone SushiSwap has been the primary beneficiary of the collateral exodus from the leading DEX. However, more coding issues have emerged that could result in anonymous addresses accessing those funds.
When Uniswap liquidity mining incentives ended on November 17, over $1.7 billion in crypto collateral left the protocol for greener pastures. A large portion of this has gone into DeFi clone SushiSwap which has seen its own total value locked surge by 300% to top $1 billion according to Defipulse.com.
It appears that degen farmers don’t care about ethics and are just out for a quick buck. On-chain analytics provider Santiment commented that this inflow comes despite the previous ‘Chef’ selling off the developer fund in September.
1) $SUSHI nearly doubled this week, and this came as quite a surprise after its founder unilaterally sold half of the projects’ $27m developer fund back in early September. The number of daily #SushiSwap deposits (addresses used to move SUSHI to pic.twitter.com/De5yTAPVMP
— Santiment (@santimentfeed) November 18, 2020
More Control Concerns
DeFi researcher Chris Blec has discovered a potential flaw in SushiSwap’s code that could allow the anonymous signatories to make off with that collateral. He posted that there is a 48 hour timelock to access the funds which is not controlled by the governance multi-signature address.
“All $1b+ can be drained using the Ops admin key, a 3-of-5 multisig. Anonymous signers.”
???? @SushiSwap update – not great:
All $1b+ can be drained using the Ops admin key, a 3-of-5 multisig. Anonymous signers.
There is a 48h timelock, however the timelock itself can be modified by a single Ethereum (EOA) address w/ unknown security.
SushiSwap's Peckshield audit: pic.twitter.com/Pi3KqcSg6g
— Chris Blec (@ChrisBlec) November 18, 2020
SushiSwap governance is controlled by a number of DeFi whales who had enough tokens to sway the votes in their favor at the time of the election. While their identity is public, the controllers of the Ops multisig are not.
SushiSwap responded stating that the observation is correct and that the issue needs to be addressed.
“He stated, correctly, that such control should not be in the hands of people anon to the public, and we have thus immediately taken measures to adjust this. Control of the Timelock is being prepared for transfer from the Ops Multisig to the main Multisig.”
SushiSwap has not had the best of starts and has been embroiled in controversy starting when it migrated away from Uniswap. Yet degen farmers still flock to the protocol because it offers the best quick returns for their liquidity.
SUSHI Price Update
The protocol’s governance token, SUSHI, has never recovered from those rocky early days. It is currently trading up 4% on the day at $1.30 but languishing 85% down from its peak when the protocol took off in early September.
TVL on the other hand has recovered to over $1 billion as those degens load up their liquidity in SushiSwaps DeFi farms.