ShibaSwap Staking Contract May Have Critical Design Flaw: Ex-Santiment CTO
Valentin Mihov, blockchain developer and former chief technology officer of on-chain data vendor Santiment, disclosed a critical flaw in the staking contract of newly-launched dog-themed exchange ShibaSwap.
A minimum viable rug?
Mihov shared some alarming details of ShibaSwap's codebase, a novel decentralized exchange focused on overhyped meme token Shiba Inu (SHIB).
You think about aping into #ShibaSwap for 5000% APR? I will advice you to be cautious. The staking contract allows to migrate the deposited funds and it's currently owned by an EOA. TLDR: All the staked funds can be rugged by the devs at any moment #WarOnRugs ? pic.twitter.com/1cBcJWaylV
— Valentin Mihov (@valentinmihov) July 6, 2021
The platform offers up to 5,000 percent in annualized yield to SHIB stakers. Meanwhile, its staking contract is controlled by an externally owned address (EOA). Thus, its owner can drain the entire liquidity of the exchange.
This flaw makes SHIB staking prone to exit scams and manipulations:
All the staked funds can be rugged by the devs at any moment #WarOnRugs
Banteg (@banteg), a core developers of leading decentralized financial protocol Yearn.Finance (YFI), called this flaw a 'minimum viable ShibaSwap rug' as its multi-million liquidity can be easily stolen by one account on the Ethereum network.
Here's how ShibaSwap team mitigates the issue
At 2 p.m. UTC, Banteg reported that he was reached by the ShibaSwap team. According to their statement, the control of the contract was transferred to a multi-signature account that requires 6 out of 9 private keys to authorize a transaction:
ShibaSwap devs reached out and transferred the owner role to a 6/9 multisig. They also informed they plan to deploy a timelock. The above concern has been addressed.
Also, the team shared plans to introduce a time lock mechanism, which controls token spending in a pre-determined way.
Right now, ShibaSwap is being audited by a top-tier blockchain security vendor CertiK.