Ethereum DeFi space faces three notable bugs in the span of a Sunday morning
The Ethereum DeFi space is scrambling this Sunday morning as this space has faced a series of bugs.
Fortunately, it appears that all three are going to be solved without too many issues.
Still, these bugs once again show how nascent this space is, and the importance of managing risk when dealing with these new and sometimes unaudited protocols.
Let’s break down what happened.
#1: Saffron Finance bug
Saffron Finance is a complex derivatives product launched by anonymous developers and that was mostly unaudited.
Even still, it took the industry by storm when it launched on November 1st. Users deposited in tens of millions of dollars worth of DAI while prominent investors in the space mentioned it in a positive light. Of course, they caveated their comments with the statement that these contracts were unaudited.
Still, at the peak yesterday, there was around $60 million worth of value locked in the protocol.
Also, the project’s native token, SFI, had surged to a market capitalization above $10 million.
On Sunday morning, though, it became clear that something happened.
Saffron works on an epoch-based system, where funds are distributed every two weeks.
When the epoch was supposed to switch just hours ago, users began to notice they couldn’t withdraw their funds. The money was in the Saffron contract, it’s just that users could not call the redeem function.
Main developer “Psykeeper” explained that someone had deployed a “malicious” array that somehow disabled the withdrawal function.
SFI proceeded to dive by 50 percent.
Psykeeper noted that there is an emergency withdrawal function that will allow the funds to be recovered in eight weeks.
January 24th is the date to be watching for.
There may be an alternative withdrawal mechanism that may release the funds as early as today, though some think this is a risky play.
#2: Rari withdrawal bug
Around the same time as the Saffron bug arose, users began to report that they couldn’t withdraw funds out of Rari Capital, a yield aggregator.
Rari was launched by a public team, though there have been many concerns with certain protocol functionality over recent weeks. Namely, withdrawals sometimes do not go through while sometimes they do.
A DeFi developer posted to Twitter that he thinks Rari may have deposited funds into Saffron, hence the withdrawal issues.
The Rari team quickly rebutted this comment, but the withdrawal issue persisted.
Rari is in the midst of fixing the bug.
#3: SushiSwap exploit
SushiSwap is a leading decentralized exchange forked from Uniswap. The project has been preparing for the release of novel DeFi products.
Though on Sunday morning, some users noticed interesting transactions taking place within the SushiSwap contracts.
A user had managed to seemingly turn around a $1 into $1,000 in the span of a few transactions.
While the exact cause is not yet known, SushiSwap’s General Manager, “0xMaki,” deployed a fix. He added that the funds that were being siphoned away was “pure profits” as opposed to funds actually locked up within the protocol.
Possible @SushiSwap exploit found? @0xMaki sends exploiter a tx with a message to collect bug bounty.
See below ?
tx with message from 0xMakihttps://t.co/1MdXqw9chq
Exploiters address:https://t.co/ehh7EassCo@DefiantNews pic.twitter.com/fRpdA1j7y1
— JuanSnow (@Juan_Snow1) November 29, 2020
All SushiSwap depositors are safe.
Again, all bugs will seemingly be fixed without much of a hitch. But that didn’t stop temporary panic and fear amongst hundreds or even thousands of DeFi users.
Stay safe out there.