SushiSwap was dishonest about its timelock
SushiSwap has given us a reason to question the credibility of its Ops multisig signers. We should not ignore it.
NOTE: Some will say that sharing this type of info is annoying, inflammatory or unnecessary. I disagree.
I am providing this info to give you information that may help you make a valid risk assessment for yourself about SushiSwap. You may decide that this is not an important issue for you and ignore it. Or, you may decide that this is a critical issue that makes you too nervous to LP with SushiSwap. That is entirely up to you.
Either way, when it comes to admin keys, often there is no other way for you to get the context that you need without someone sharing it with you. Whenever possible, that is a role I will try to play in DeFi transparency.
First, let's back up to last year.
SushiSwap utilizes 2 multisig contracts.
- The Treasury 6-of-9 multisig, which controls the community treasury
- The Ops (as of last year) 3-of-5 multisig, which is able to upgrade smart contracts (including MasterChef) and is responsible for securing user deposits
SushiSwap has a 48-hour timelock on its MasterChef contract. To make any change or upgrade to MasterChef, a transaction from the Ops multisig must sit for 48-hours before it's executed.
In November 2020, I noticed that this timelock was owned by the Ops multisig itself. This meant that the Ops multisig had the ability to change - or even remove - the timelock. This seemed unintuitive and dangerous, so I raised the issue in SushiSwap's discord.
Members of the core team quickly agreed with me, acknowledged the security issue and publicly promised to change timelock control over to the Treasury multisig signers.
This seemed like a great outcome at the time. The team received feedback, quickly acknowledged it and said that swift action was being taken.
Except, that wasn't true. They only told us what we wanted to hear.
Fast forward to current day.
The other day, SushiSwap's CTO Joseph Delong threw some unprovoked shade at me and inferred that I was "harassing" the DeFi community with my transparency inquiries.
I make it a habit to look into any projects that criticize efforts at DeFi transparency (mine or anyone else's), because I see opposition to transparency as very harmful to the space. This isn't petty or punitive. It's logical. Anyone who is actively trying to slow or stop DeFi transparency is giving us a clue that we'd be naive not to follow. In DeFi, we have to follow whatever breadcrumbs are available.
Yesterday, I did a check-up on SushiSwap's documentation to see if there were any changes with its multisig since I had last looked. I noticed that they were promoting that the Ops multisig now had a 3-of-4 threshold (down from 3-of-5).
But then I checked their Ops multisig contract on Etherscan and noticed there were 7 signers listed.
So, who are these 3 additional signers? And isn't it dangerous that, with a 3 signature threshold, these 3 unknown signers had the weight to make any change to SushiSwap that they wanted?
I headed to Sushi's Discord and connected with a core team member who understood the problem and very quickly added the names of the additional signers.
But while that was happening, I noticed that the timelock was still owned by the Ops multisig, even though Sushi had publicly announced that it would move control to the Treasury multisig.
And that's how we got to where we are.
The Sushi team has now informed me via Discord that shortly after announcing that timelock ownership would move to the Treasury multisig, the Ops team changed its mind and decided to retain control over its own timelock contract. They thought that switching it over to the Treasury multisig would make frequent upgrades too difficult.
I have not received any explanation as to why this very important change of heart wasn't shared with the community after their very public tweets to the contrary.
There are several problems that need to be addressed:
- why did no one on the Sushi core team or in the Sushi community notice that there were 3 unnamed signers who had the power to execute any transaction?
- why did the SushiSwap team say they were going to make a change that they were not planning to make?
- why didn't the SushiSwap team inform the community (or myself) of their change of heart?
- why should we trust anything the SushiSwap team has said since then or in the future?
Whether or not these were intentionally dishonest acts, it speaks to the credibility and attention-to-detail of the SushiSwap core team. These are traits that are critical for a user to evaluate when it comes to any signer on a very powerful DeFi multisig.
With trustless DeFi, in most cases (not all), credibility of the team doesn't really matter as much because you only need to trust in the code.
However, when it comes to multisig admin keys, credibility always matters because you are trusting these human beings with the security of your deposits.
Multisigs cannot provide provable security on their own. Users must always put their trust in the signers. If a community can't trust what a multisig signer says when it comes to protocol security, then the multisig story falls apart.
I happen to like the SushiSwap devs. They've always been polite and quickly responded to my questions. But that doesn't change the fact that they were dishonest in this crucial case.
What has the SushiSwap team revealed about its credibility and professionalism by being dishonest (whether intentionally or inadvertently) about the ownership of its timelock?
How important is it for DeFi users to be able to trust the word of powerful multisig signers?
The information is now yours. Use it to form your own personal risk assessment for this and other multisigs.
I'll share any responses that I receive from the SushiSwap team.