Security Announcement: Double rewards removed due to vulnerability

Today the Sushiswap team reviewed our contracts and spotted a vulnerability with double rewards in our MasterChefJoeV2 contract.

TLDR; LPs are safe. Double rewards were vulnerable to being drained by a flash loan attack and both our double rewarder contracts (VSO/AVAX and YAK/AVAX) have been removed. In total $25k was at risk.

Details

// Withdraw without caring about rewards. EMERGENCY ONLY.    function emergencyWithdraw(uint256 _pid) public {        
PoolInfo storage pool = poolInfo[_pid];
UserInfo storage user = userInfo[_pid][msg.sender];
pool.lpToken.safeTransfer(address(msg.sender), user.amount);
emit EmergencyWithdraw(msg.sender, _pid, user.amount); user.amount = 0;
user.rewardDebt = 0;
}

Our emergencyWithdraw function on MasterChefJoeV2 does not call the double rewarder contract, so an attacker is able to take a flash loan, deposit into the double reward farm (either VSO/AVAX or YAK/AVAX) and drain the bonus rewards.

How the attack works:

  • Attacker takes a flash loan.
  • Deposits x LP tokens into any double reward farm (either YAK/AVAX or VSO/AVAX).
  • Emergency withdraws its LP tokens.
  • Deposits a single LP token back into the same farm and waits n number of days.
  • Harvests the bonus reward (either YAK or VSO) as if it had x number of LP tokens instead of 1 LP token.

We have now removed the double rewarder contracts from VSO/AVAX and YAK/AVAX farms. Users who had pending bonus rewards will not receive them anymore — we deeply apologize for this.

Summary

We want to reassure everyone that the MasterChefJoeV2 is currently safe since double rewards have now been removed and will not be implemented in the near future.

For extra precaution, an audit will be underway to ensure security of the protocol.

We would like to express our sincere gratitude to the Sushiswap team, for lending their expertise in helping us spot the vulnerability and solve the situation as quickly as possible.

--

--

--

One-stop Trading Platform on Avalanche

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Zero Trust x SOAR is the perfect match to secure access to your data and network resources

Keeping Contacts Contained

Recommendations for Gmail’s policies on third-party vendors

What we can learn from Smollett’s medical record breach

{UPDATE} Idle Decoration Hack Free Resources Generator

Microsoft Graph Endpoints Are Live in Azure Government and Directly Impact Security and NIST…

AnRKey X Proving Security-First Approach With CertiK Auditing Token & Dapp Contracts

{UPDATE} Monte-Carlo Royal Solitaire Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Trader Joe

Trader Joe

One-stop Trading Platform on Avalanche

More from Medium

Yield Yak introduces bonds with Olympus Pro

Trader Joe Forms a Strategic Partnership with Ferrum Network

Introducing VALK

Platypus Announcement on MIM