Problem: SushiSwap Migrator has no slippage tolerance or monitoring for price discrepency across Uniswap and SushiSwap. This is a readily vulnerable attack vector on all smaller pools that are not actively arbed by MEV bots.
Outside of Tokemak LP, who is frequently utilizing the migrator, many of the users are getting absolutely rekt when they enter the SushiSwap Migrator Death Trap.
The attack is as follows:
- User initiate migration
- MEV bot buys up enter pool on SushiSwap
- User adds LP at insane price (0.00… token + XX ETH)
- excess token goes back to user wallet
- MEV bot sells tokens back and takes the entirety of the ETH from LP add
- User is left with ~zero LP and no ETH. They lose half of what they deposit into the migrator.
This happens a lot. It would not be possible if users manually pulled LP from Uniswap and deposited to Sushiswap.
Here are a few recent examples:
There are less egregious examples, too, where users are routinely taking some % hit from the MEV bots. Given that there is very little actual use of the migrator, the number of users getting BTFO is an alarming percentage
As a recent victim, it is important for me to help others in our ecosystem avoid the same fate. Furthermore, It is my hope that the Sushi community might see it as proper to reimburse some of those who were exploited via the Sushi Migrator Death Trap
Remove the Sushi Migrator Button from the Liquidity tab https://app.sushi.com/legacy/migrate?chainId=1 until an MEV protection fix can be implemented so that others do not stumble their way into the Sushi Migrator Death Trap
Identify and reimburse those who have suffered serious losses merely by trying to migrate their TLV from the Uniswap into the SushiSwap ecosystem
For: The average SushiSwap app user should be able to trust the app
Against: The average SushiSwap app user should know that extra steps are necessary to protect themselves from MEV attacks when using the app