SushiSwap appears to be vulnerable from a sneaky bug that could multiply someone’s governance power without having to acquire new tokens.
Reported by developer Jong Seok Park on Sept. 7, the bug can be described as a governance double-spend.
In essence, SushiSwap governance lets token holders delegate their voting power to another entity. However, if that token holder then transfers the tokens to someone else, the delegatee still maintains their governance power. The second token holder can now delegate tokens once again, multiplying the delegatee’s power by as much as necessary. The bug is that the token transfer does not reset delegation parameters, and this is likely the result of aggregating codebases from different projects.
SushiSwap’s governance contracts are largely a fork of Yam governance, themselves a fork of Compound. Looking at the Github source code of SushiSwap however, it appears that the token’s smart contract only modified the “mint” function from the standard implementation of ERC-20 contracts by OpenZeppelin. Yam, on the other hand, used a specific implementation of the standard that has a “moveDelegates” function called upon transferring.
In a conversation with Cointelegraph, FTX CEO and now lead for SushiSwap Sam Bankman-Fried confirmed the existence of the bug. He noted that “it doesn’t pose an immediate problem for Sushi” as governance hasn’t yet been activated.
Catching the bug before live release means that the team can now work on solutions to fix it. Bankman-Fried believes that the issue should be fixable without having to migrate the project to new contracts, but the team is “still looking into it.”
It is interesting to note that SushiSwap was hastily reviewed and audited by multiple firms as the project blew up in popularity. While one of the issues involves the same “moveDelegates” function at play here, it appears to be a different type of bug. It wouldn’t be the first time that audits fail to catch some issues, highlighting the need for the entire development community to pitch in to keep DeFi smart contracts secure.
The project is currently in a precarious state as its intended liquidity migration from Uniswap was predicated on successful audits by established security firms, in addition to the trust in the project’s anonymous founder.