Try   HackMD

Incident Report (12/10/2021)

Incident Report: Integrating the new SushiMaker contract

While testing efforts to improve the operations of bridging of LP fees back to SushiMaker on Ethereum Mainnet from an expansive list of networks, a portion of fees was sent to the pool itself resulting in a loss of $400,000 fees from Polygon to the SushiBar.

The new SushiMaker offers a variety of advantages including prevention of potential sandwich attacks when unwinding LP positions to buy SUSHI.

During a particular unwinding action to deal with an edge case, $600k worth of fees were sent back to the pool address, due to wrongful encoding.

The relevant transaction can be found here:
https://polygonscan.com/tx/0x5610e8b733e371c1277458cf860a600f6c39c35f79fb2b7358d69118d27771cf

An active MEV bot extracted the liquidity and swapped the two tokens. However during this swap, the bot suffered a loss of $240k as one of the tokens had no liquid market. The token in question should have been redeemed for its underlying backed asset instead, hence the original edge case in unwinding operations and reason for the initial withdrawing of LP tokens from the SushiMaker contract, which led to the encoding error.

Sushi contributors involved in this testing sent an onchain message to the MEV bot asking for a return of the lost fees:
https://polygonscan.com/tx/0xd960a4ecdc5b6b4aceeea1a8c0cc54ccc29563fff913babef9541ab3e0c3ee0f

The bot subsequently returned $200k, which was then appropriately bridged back to Ethereum mainnet and served to the SushiBar.

In light of these errors, contributors have taken several steps to mitigate future errors. Inclusive of those steps is a new withdraw method enabling the owner (multisig) to withdraw without performing any special encoding was implemented to reduce complexity and chance of mistakes.

Last changed by 
Sushi
Sushi Contributors
0
114

Read more

Sushi 2.0 🍣

The early part of 2021 was fantastic for Sushi, the team, the holders, and the community. We were leading the way with a number of innovative product releases and pulling off what felt like the impossible. However, we were plagued with consistent issues for most of the remaining year which hurt the morale of the team, trust was lost with the community, and productivity was at an all-time low. 2022 will be better. We have composed an ambitious roadmap of some of the key product releases, improvements, and ideas from the team that we'd like to tackle. Three core overriding goals: Scalability Sustainability Efficiency Hybrid Exchange Permissionless AMM is a great model, it works, it scales, but has its own trade-offs and drawbacks. Moving to a hybrid model which combines the benefits of a permissionless AMM, and of decentralized order books, both on and off-chain is the way forward. It unlocks a huge volume potential by capturing the positive flow from aggregators, by offering the best execution prices which by default incentivizes volume. Even more, can be done though. Utilizing abstractions of layers & networks, liquidity could be utilized cross-chain via various solutions such as Layer Zero, for example, to provide the lowest execution price no matter what network you live on. The same idea can be replicated among various products in the Sushi ecosystem.

Feb 13, 2023
SushiXSwap Scenario Doc

SushiXSwap - Cross Chain Swap Sushi-X-Swap enables cross chain swaps on Sushiswap on the supported networks. It supports all combinations of wallet, bentobox, trident and legacy AMM. It supports Stargate bridge as of now. Scenarios We assume that the tokens and bentobox approvals are already done. If not, add that at the start of the action. Asset Transfer - Stargate Supported Assets - USDC, USDT, STG BentoBox - Stargate - BentoBox In this case, use ACTION_SRC_TRANSFER_FROM_BENTOBOX and unwrap the tokens to this contract address. After this add action STARGATE_TELEPORT. On the dst chain, use ACTION_DST_DEPOSIT_TO_BENTOBOX, which deposits it to the bentobox.

May 23, 2022
Postmortem (26/04/2022)

Postmortem: 26th April, 2022 Participant: Sushi Core Team (Sarang, Matthew, Ramin, Jiro), Synthetix (JJ, Ethernaut) On April 26, 2022 at 11:33 PM UTC Sushi was alerted of a bug at handling of SNX token inside Bentobox. TLDR: ALL USER FUNDS ARE SAFE. DON'T DEPOSIT SNX OR ANY SYNTHETIX BASED ASSETS ON BENTOBOX Bentobox Contract: https://etherscan.io/address/0xf5bce5077908a1b7370b9ae04adc565ebd643966

Apr 29, 2022
Postmortem (08/16/2021)

Postmortem: August 16th, 2021 Participants: samczsun, Georgios Konstantonopoulos, Dan Robinson, Duncan Townsend, Mitchell Amador, Joseph Delong, Mudit Gupta, Keno, Omakase Tech Team: samczsun, Georgios Konstantopoulos, Duncan Townsend, Keno, Mudit Gupta, Omakase Comms Team: Mitchell Amador, Joseph Delong, Omakase On August 16th, 2021 at 17:40 UTC Sushi was alerted of a vulnerability within the Miso Dutch Auction contract submitted by samczsun, Georgios Konstantopoulos, and Dan Robinson. The contract in question is here: https://etherscan.io/address/0x4c4564a1FE775D97297F9e3Dc2e762e0Ed5Dda0e#code No user commitments or creator minted tokens have been lost. The contracts were not pausable or upgradeable, however since the auction had reached its max commitment we recommended the auction creator immediately finalize the auction, thereby safeguarding funds from any potential harm. No user action is required. No funds have been lost. The current BIT-SUSHI auction remains unaffected and no outstanding auctions are affected by this vulnerability.

Jan 11, 2022
Read more from Sushi
Published on HackMD