An operation vulnerability was discovered in the DeFi platform SushiSwap, which retains the right to vote for the owner of tokens even when they are transferred. Developer Jong Seok Park wrote about the double-spend bug on his blog.
The SushiSwap governance mechanism allows token holders to transfer voting rights. Transferring assets from the wallet should reset the delegation parameters, but due to an error, the user retains governance authority.
As Park explained, the double-spend bug allows the user to expand voting rights through delegation transactions. The developer sees a solution to the problem in adding the “moveDelegates” code to the SushiSwap smart contract when transferring a token.
In a comment to Cointelegraph, FTX CEO Sam Bankman-Fried confirmed the vulnerability. However, he thinks that “it doesn’t pose an immediate problem for Sushi” as governance hasn’t yet been activated.
Previously, experts found ten vulnerabilities in SushiSwap. One of them allows you to re-add the liquidity provider token, the other can lead to the transfer of funds to any address.
Recall that the anonymous creator of SushiSwap “Chef Nomi” sold half of the platform developers’ fund. This triggered a fall in the SUSHI rate from $ 11 to $ 2.35.