Address the SushiSwap Migrator Death Trap

Problem: SushiSwap Migrator has no slippage tolerance or monitoring for price discrepency across Uniswap and SushiSwap. This is a readily vulnerable attack vector on all smaller pools that are not actively arbed by MEV bots.

Outside of Tokemak LP, who is frequently utilizing the migrator, many of the users are getting absolutely rekt when they enter the SushiSwap Migrator Death Trap.

The attack is as follows:

  1. User initiate migration
  2. MEV bot buys up enter pool on SushiSwap
  3. User adds LP at insane price (0.00… token + XX ETH)
  4. excess token goes back to user wallet
  5. MEV bot sells tokens back and takes the entirety of the ETH from LP add
  6. User is left with ~zero LP and no ETH. They lose half of what they deposit into the migrator.

This happens a lot. It would not be possible if users manually pulled LP from Uniswap and deposited to Sushiswap.

Here are a few recent examples:

There are less egregious examples, too, where users are routinely taking some % hit from the MEV bots. Given that there is very little actual use of the migrator, the number of users getting BTFO is an alarming percentage

As a recent victim, it is important for me to help others in our ecosystem avoid the same fate. Furthermore, It is my hope that the Sushi community might see it as proper to reimburse some of those who were exploited via the Sushi Migrator Death Trap

Remove the Sushi Migrator Button from the Liquidity tab until an MEV protection fix can be implemented so that others do not stumble their way into the Sushi Migrator Death Trap

Identify and reimburse those who have suffered serious losses merely by trying to migrate their TLV from the Uniswap into the SushiSwap ecosystem

For: The average SushiSwap app user should be able to trust the app

Against: The average SushiSwap app user should know that extra steps are necessary to protect themselves from MEV attacks when using the app

Deactivate the Migrator Button
  • Yes
  • No

0 voters

Identify and Reimburse Victims
  • Yes
  • No

0 voters

If using a migrator use flashbots relay to protect the transaction from the mem pool.

I would support disabling it and leaving it to manual migration, as it’s not good a ux to get sandwiched and I don’t think the concept of public mem pools and front running are widely understood enough to rely on people to protect themselves.
Wouldn’t support reimbursement as all these protocols are use at our own risk.
It is horrible to lose money to bots and slippage so I do hope you make that back, and will raise the suggestion of disabling it or integrating sushi guard if that’s the best approach.

1 Like

Sushi has a MEV protection relay,

I will see about getting a banner warning when accessing this page and functionality. We should be able to extend the existing Sushi Guard swap feature to this.

Thanks for the detailed write up, if you have questions just ping me on discord or tellegramw

1 Like

We’ll roll out some updated contracts, the SushiRoll contract was written by Nomi, and this was long before MEV was so prevelent so slippage protections weren’t considered.