Despite the immediate success of the dog-themed ShibaSwap decentralized exchange, there are warnings that DEX’s liquidity providers are throwing capital into an opaque log of questionable security.
Building on the popularity of their Dogecoin fork Shiba Inu (SHIB), the coin’s developers launched their DEX on July 7th with tempting yield incentives for liquidity providers amid the dog token trading frenzy fueled by Elon-Musk.
Within 24 hours of launch, the log had amassed a Total Value Locked (TVL) of more than $ 1 billion.
On July 8, platform reviewer DeFi Safety published a report on ShibaSwap that rated the protocol at only 3%, well below the 70% the site considers passed.
DeFi Safety called the score “a devastating mistake” and failed ShibaSwap on all but two of its 22 review criteria, with the protocol getting 30% for the clarity of the information provided in its whitepaper.
The author of the review is Rex Hygate, the founder of SecuEth and Caliburn Consulting. He highlighted the anonymous team at ShibaSwap, the lack of transparency and documentation, and pointed out the fact that there is no public software repository, development history or opportunities to test the code.
ShibaSwap is up with a devastating 3% score. If you’re looking for a prime example of what total negligence looks like on a log, you’ve come to the right place. Zero transparency. You are putting your money in a black hole. https://t.co/dUzU0vvCHW @ChrisBlec @ShibArmy #DeFi pic.twitter.com/QG3ykYakdt
– DeFi Safety (@DefiSafety) July 7, 2021
On July 7, Solidity developer Joseph Schiarizzi published an article warning that ShibaSwap’s staking contract had been under the control of a single address for most of its first day of operation.
While ShibaSwap has since updated the contract to a multi-signature account that requires six out of nine Safe Owners to approve transactions before they can be executed, Schiarizzi warns that each of the addresses can be under the control of a single entity:
“Several of these secure owners are new accounts with 0 transactions and no ETH, so they are most likely just placeholders for the ShibaSwap developers who can easily agree to designate each owner as a function for the staking contract only.”
Emphasizing the risks associated with having the staking contract’s migration function under the control of a single entity, Schiarizzi noted that contract holders “can simply deploy a new migrator contract that will send all LP tokens to themselves “.
DeFi Watch analyst Chris Blec shared Schiarizzi’s warnings about the safety risks of ShibaSwap with his 22,000 followers and highlighted the DeFi Safety Review
⚠️ Yesterday it was found that all funds in ShibaSwap could be withdrawn from 1 Ethereum account.
ShibaSwap then changed hands to a new Gnosis multisig with unknown signers and new addresses.
The problem: It is possible to create a multisig and own all the keys yourself. pic.twitter.com/wSN1yOB2Qn
– Chris Blec (@ChrisBlec) July 7, 2021