Security Announcement: Double rewards removed due to vulnerability
Today the Sushiswap team reviewed our contracts and spotted a vulnerability with double rewards in our MasterChefJoeV2 contract.
TLDR; LPs are safe. Double rewards were vulnerable to being drained by a flash loan attack and both our double rewarder contracts (VSO/AVAX and YAK/AVAX) have been removed. In total $25k was at risk.
Details
// Withdraw without caring about rewards. EMERGENCY ONLY. function emergencyWithdraw(uint256 _pid) public {
PoolInfo storage pool = poolInfo[_pid];
UserInfo storage user = userInfo[_pid][msg.sender];
pool.lpToken.safeTransfer(address(msg.sender), user.amount); emit EmergencyWithdraw(msg.sender, _pid, user.amount); user.amount = 0;
user.rewardDebt = 0;
}
Our emergencyWithdraw function on MasterChefJoeV2 does not call the double rewarder contract, so an attacker is able to take a flash loan, deposit into the double reward farm (either VSO/AVAX or YAK/AVAX) and drain the bonus rewards.
How the attack works:
- Attacker takes a flash loan.
- Deposits x LP tokens into any double reward farm (either YAK/AVAX or VSO/AVAX).
- Emergency withdraws its LP tokens.
- Deposits a single LP token back into the same farm and waits n number of days.
- Harvests the bonus reward (either YAK or VSO) as if it had x number of LP tokens instead of 1 LP token.
We have now removed the double rewarder contracts from VSO/AVAX and YAK/AVAX farms. Users who had pending bonus rewards will not receive them anymore — we deeply apologize for this.
Summary
We want to reassure everyone that the MasterChefJoeV2 is currently safe since double rewards have now been removed and will not be implemented in the near future.
For extra precaution, an audit will be underway to ensure security of the protocol.
We would like to express our sincere gratitude to the Sushiswap team, for lending their expertise in helping us spot the vulnerability and solve the situation as quickly as possible.
