On the 11th of December 2022, a Twitter user with the handle, Paradigm Engineer #420 called out a bug in Saddle’s smart contract that put $566k worth of user assets at risk, and the Saddle team ignored his warning.
There is an active bug in one of @saddlefinance's contracts.
Currently, at least $566k worth of funds on arbitrum are vulnerable, and who knows how many more across their many deployments across different chains.
If you have funds on Saddle, WITHDRAW IMMEDIATELY! pic.twitter.com/rQrUmIYCvw
— Paradigm Engineer #420 (@ParadigmEng420) December 11, 2022
According to Paradigm Engineer #420, $566k worth of funds on the Arbitrum chain was at risk, which excludes the funds trapped in Saddle on other chains. Saddle is a Defi protocol that has suffered hacks and losses in the past.
The current bug is, firstly, an issue with the SimpleRewarder. Due to some design flaws, users would be unable to withdraw their funds from the protocol if the reward tokens in SimpleRewarder run out. This is disturbing because user funds could become inaccessible, even burned.
Since the project is decentralized, no admin function gives its creators the power to unfreeze such funds. This is good because it promotes the core principle of immunity behind decentralization. The negative means users will lose their funds if they do not withdraw before the arbitrary deadline.
The second issue is with the MiniChefV2 design, which includes emergency withdrawal. He then recommended necessary changes that would reduce risk and secure user funds. But seeing as he had initially reached out to the Saddle team in November, he believes they are planning a rug pull.
Seeing as they are choosing silence over communication and rectifying the issue, they want their investors and employees to dump their tokens before disclosing the bug to their users. It might be too late for the users at the time, and the price would have crashed.
Seeing the visibility Paradigm Engineer #420’s tweet had gotten, the Saddle team responded.
We really appreciate how active the DeFi developer community is, It is up to all of us to make sure user funds are Safu!
— Saddle (@saddlefinance) December 11, 2022
For the two issues he made public, their response was thus.
Regarding the withdrawal issues, some users are already experiencing it. So they are working with Sperax, a Stablecoin and DEX Liquidity Manager, to refill the rewarder, ensuring withdrawals are processed accordingly. They acknowledge that it was indeed an issue, and a solution is underway.
As for the MiniChefV2 smart contract issue, it’s something they have been fully aware of for a while. To that end, they had closed his initial ticket and were already working on an internal roadmap to rectify and upgrade the smart contract. The upgrade would make it a more “feature-complete” solution to the no-withdrawal problem.
The question is this… are user funds safu if they cannot withdraw them?