Security Announcement: Double rewards removed due to vulnerability

Today the Sushiswap team reviewed our contracts and spotted a vulnerability with double rewards in our MasterChefJoeV2 contract.

TLDR; LPs are safe. Double rewards were vulnerable to being drained by a flash loan attack and both our double rewarder contracts (VSO/AVAX and YAK/AVAX) have been removed. In total $25k was at risk.

Details

// Withdraw without caring about rewards. EMERGENCY ONLY.    function emergencyWithdraw(uint256 _pid) public {        
PoolInfo storage pool = poolInfo[_pid];
UserInfo storage user = userInfo[_pid][msg.sender];
pool.lpToken.safeTransfer(address(msg.sender), user.amount);
emit EmergencyWithdraw(msg.sender, _pid, user.amount); user.amount = 0;
user.rewardDebt = 0;
}

Our emergencyWithdraw function on MasterChefJoeV2 does not call the double rewarder contract, so an attacker is able to take a flash loan, deposit into the double reward farm (either VSO/AVAX or YAK/AVAX) and drain the bonus rewards.

How the attack works:

  • Attacker takes a flash loan.
  • Deposits x LP tokens into any double reward farm (either YAK/AVAX or VSO/AVAX).
  • Emergency withdraws its LP tokens.
  • Deposits a single LP token back into the same farm and waits n number of days.
  • Harvests the bonus reward (either YAK or VSO) as if it had x number of LP tokens instead of 1 LP token.

We have now removed the double rewarder contracts from VSO/AVAX and YAK/AVAX farms. Users who had pending bonus rewards will not receive them anymore — we deeply apologize for this.

Summary

We want to reassure everyone that the MasterChefJoeV2 is currently safe since double rewards have now been removed and will not be implemented in the near future.

For extra precaution, an audit will be underway to ensure security of the protocol.

We would like to express our sincere gratitude to the Sushiswap team, for lending their expertise in helping us spot the vulnerability and solve the situation as quickly as possible.

--

--

--

One-stop Trading Platform on Avalanche

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Managing Password

Groestlcoin 22/6/22 Release

Formalizing Cyber Threat Intelligence Planning: Part VI

How to change your cPanel password

FalconFriday — Malicious Scheduled Tasks — 0xFF0B

Secure Development Practices within Zowe

The proposed solution to online privacy

Introduction to Homomorphic Encryption

Image result for cryptography

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Trader Joe

Trader Joe

One-stop Trading Platform on Avalanche

More from Medium

Trader Joe & Keystone Partnership: Secure Signing on Avalanche Blockchain!

Penguin Rush Phase 3: Turbo Igloos! 🧊🔥

Moremoney to use Yield Yak to increase yields on collateral

Defrost Finance to Use Chainlink Price Feeds for Collateral Valuation