Blockchain technology and smart contracts are significant innovations. However, the technology is only as secure as the code written for it. Trader Joe is one of the blockchain projects that, with the help of multi-auditing, avoided a potential catastrophe due to a code vulnerability.
Trader Joe Gets Multiple Code Reviews, But....
It is good to see more DeFi projects undergo code reviews to ensure their project will keep clients' funds safe. As most of these solutions are decentralized and trustless, the code must hold up under pressure and not contain any vulnerabilities. I am glad to see more audits happening, although everyone needs to remember they are not a guarantee for safe and secure code, unfortunately,
In the case of Trader Joe, the security audits themselves were rather interesting. Even though the team has undergone more than one of these audits, it appeared most of the verification procedures overlooked one crucial vulnerability. I can understand it is difficult for auditing firms to look at everything and wonder if it works as intended, although when multiple parties miss the same issue, something doesn't appear right.
Per the explanation, there was a vulnerability in the MasterChefJoeV2 contract. Suppose an attacker took a flash loan and deposited tokens eligible for double rewards. In that case, they could emergency withdraw them, deposit a single token back, and harvest the bonus rewards as they would have with the total amount of initial tokens. That is a significant vulnerability and one that can have severe consequences. Furthermore, if multiple people exploited that option, double rewards would be issued to users who do not provide the necessary liquidity.
Although the TraderJoe team removed the double rewarder contracts, it is still a strong wake-up call. With $25,000 in rewards at stake, pulling the plug is the option I would take as well. Interestingly, this issue was discovered by the SushiSwap team and not an auditing firm. However, TraderJoe has confirmed they will undergo a new audit to re-evaluate the entire protocol's security measures.
Why Would SushiSwap Do This?
For those unfamiliar, SushiSwap is one of the biggest decentralized exchanges in the world. The protocol initially aimed to compete with Uniswap, although it is challenging to dethrone the undisputed king of decentralized trading. Even so, SushiSwap is a successful platform and a platform I enjoy using for some of my tradings. Competition among DEXes is a good thing, as it fuels ongoing innovation and improvements.
As Trader Joe is a DEX and lending platform, it is — in theory — a competitor to SushiSwap. However, if any cog in the DeFi machine fails, the impact on other projects can be rather severe. Keeping all projects safe from harm benefits the broader industry, including services that would otherwise be competitors. Moreover, Trader Joe is an up-and-coming platform that is gaining a lot of Total Value Locked on the Avalanche blockchain, making it a platform worth supporting, in my view.
Moreover, the open-source nature of smart contracts makes them easy to access and read. Therefore, it is in every developer's best interest to look at how others put their code and functions together. If something seems amiss, alerting the code creator is the courteous thing to do. I find it heartwarming that SushiSwap to alert Trader Joe about this issue, even though they had no obligation to do so.
The HashEx Angle
As one of the companies auditing Trader Joe, HashEx looked at the code for this project and documented a few issues in their initial audit report. The issue affecting the smart contract and double rewards was not discovered at the time. SushiSwap’s team was already notified about the issue, allowing them to offer a helping hand. HashEx offered support and advice regarding the severe bugs and recommendations on what to address.
The HashEx team conducted a preliminary smart contract audit for TraderJoe in August 2021. The team notes three high-severity issues and several code improvements to be made. As is courtesy in this industry, the firm included several recommendations to ensure these bugs coil not become critical flaws if left unaddressed.
Following the discovery of the vulnerability, the team looked back at the code and confirmed no one had any time to exploit the vulnerability before Trader Joe removed the double rewards. Moreover, the EmergencyWithdraw function was used three times for small amounts, confirming no funds have been stolen. However, it is evident that multiple audits from several independent companies — something that is largely accepted in the DeFi space — are an absolute must for any self-respecting project.
In the end, the vulnerability has been addressed, and no funds have been lost. Trader Joe and its users are happy and can continue using Avalanche's service without any issues. The double rewards are no longer in play, although removing them was the only viable option to guarantee safety for all involved parties.
I'm glad to see such a quick resolution to this matter, and it highlights the need for multi-auditing. Having multiple sets of eyeballs go through code is essential to ensure the code works as intended and cannot be exploited in any manner. It is also a severe warning to other DeFi projects that either refuse or neglect audits, of which there are many. Having code vetted by official auditing companies or developers is essential to prevent any future mishaps.