Remove rug pull code from smart contracts

Hi,

Developers of other platforms like Goose Finance are warning about rugpull code is present in SushiSwap and its forks like PancakeSwap and others. This could allow a group of malicious/hacked developers to steal the funds of all users. This extremely dangerous code is used to update the vaults without user intervention. Of course many top platforms are not using it. The alternative to update vaults is very simple, when a new version of the vault is released (i.e. V2), users with funds in a V1 vault must migrate their funds to the V2 vault which is simple, secure and fast.

I am not a Solidity developer but it looks the code is in Masterchef contract, just search for “function migrate”. SushiSwap: MasterChef LP Staking Pool | 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd

Platforms that require manual migration have a button to show/hide old vaults, so the UI is clean it shows by default current vaults. As an example, check Beefy Finance UI:

They have a checkbox for “Retired Vaults” disabled by default.

Most users don’t know about this danger so this should be fixed as soon as possible as they can’t do an informed decision about it. If developers don’t agree with this, then I would like to formally propose a voting about this.

Regards

2 Likes

“platforms like Goose Finance are warning about rugpull code is present in SushiSwap”
Can you link to this?

Does this transfer costs of migration, to the customer?

I read Keno’s response in discord and I can’t see this being an issue for as many people as you think, though personally and while I want to look at it some more, where it put up for vote I would maybe vote for it. Thanks for taking the time to post.

https://goosedefi.gitbook.io/goose-finance/security/rugpull-migrator-code

Here they explain the code comes from PancakeSwap (which is a fork from SushiSwap). I have read this in other new platforms. They also explain in other sites that code is inherited from SushiSwap and was used for the migration from Uniswap.

The cost of manual migration for the users is very low, they only have to move their LP tokens from the old vault to the new. It’s easy and fast. That’s how it’s done in other platforms not using migrator code.

Most people are not worried about this because most of them are not developers and don’t know about it.

You welcome :slight_smile: