One of the developers behind popular decentralized substitution SushiSwap has rejected a purported vulnerability reported past a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $ane billion worth of user funds under threat, stating they went public with the information after attempts to reach out to SushiSwap'south developers resulted in inaction.

The hacker claims to take identified a "vulnerability within the emergencyWithdraw function in two of SushiSwap's contracts, MasterChefV2 and MiniChefV2" — contracts that govern the exchange'due south 2x reward farms and the pools on SushiSwap's not-Ethereum deployments, such as Polygon, Binance Smart Chain and Avalanche.

While the Emergency Withdraw function allows liquidity providers to immediately claim their liquidity provider tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to exist manually refilled over a roughly x-hr procedure before they can withdraw their tokens.

"It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month," the hacker claimed, adding:

"SushiSwap'due south non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) agree over $ane billion in total value. This means that this value is essentially untouchable for 10-hours several times a month."

However, SushiSwap's pseudonymous developer has taken to Twitter to reject the claims, with the platform's "Shadowy Super Coder" Mudit Gupta stressing that the threat described "is not a vulnerability" and that "no funds are at hazard."

Gupta clarified that "anyone" can acme up the pool's rewarder in the consequence of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards puddle. They added:

"The hacker's claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes downwardly if yous add together more LP."

Related: SushiSwap'south token launchpad, MISO, hacked for $3M

The hacker said they had been instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $twoscore,000 to users who study risky vulnerabilities in its lawmaking — after they commencement reached out to the exchange.

They noted that the issue was airtight on Immunefi without compensation, with SushiSwap stating it was enlightened of the thing described.