Dev finds major governance bug in SushiSwap, but no threat to the project yet

A massive bug cannot be exploited yet as pool migration is set to continue.

SushiSwap appears to be vulnerable from a sneaky bug that could multiply someone’s governance power without having to acquire new tokens.

Reported by developer Jong Seok Park on Sept. 7, the bug can be described as a governance double-spend.

In essence, SushiSwap governance lets tokenholders delegate their voting power to another entity. However, if that token holder then transfers the tokens to someone else, the delegatee still maintains their governance power. The second tokenholder can now delegate tokens once again, multiplying the delegatee’s power by as much as necessary. The bug is that the token transfer does not reset delegation parameters, and this is likely the result of aggregating codebases from different projects.

SushiSwap’s governance contracts are largely a fork of Yam governance, themselves a fork of Compound. Looking at the Github source code of SushiSwap, however, it appears that the token’s smart contract only modified the “mint” function from the standard implementation of ERC-20 contracts by OpenZeppelin. Yam, on the other hand, used a specific implementation of the standard that has a “moveDelegates” function called upon transferring.

In a conversation with Cointelegraph, FTX CEO and now lead for SushiSwap Sam Bankman-Fried confirmed the existence of the bug. He noted that “It doesn’t pose an immediate problem for Sushi” as governance hasn’t yet been activated.

Catching the bug before live release means that the team can now work on solutions to fix it. Bankman-Fried believes that the issue should be fixable without having to migrate the project to new contracts, but the team is “still looking into it.”

It is interesting to note that SushiSwap was hastily reviewed and audited by multiple firms as the project blew up in popularity. While one of the issues involves the same “moveDelegates” function at play here, it appears to be a different type of bug. It wouldn’t be the first time that audits fail to catch some issues, highlighting the need for the entire development community to pitch in to keep DeFi smart contracts secure.

SushiSwap itself is currently reeling from the aftermath of its anonymous founder jumping ship with a “devfund” in SUSHI tokens worth $27 million at some point.

The intended liquidity migration from Uniswap is still set to continue with new migration contracts, but the prior decision from Chef Nomi was canceled.