Is ShibaSwap safe? DeFi Safety review gives it a score of just 3%
Despite the immediate success of dog-themed decentralized exchange ShibaSwap, there are warnings that the DEX’s liquidity providers are throwing capital into an opaque protocol of questionable security.
Building on the popularity of their Doge-style token, Shiba Inu (SHIB), amid the Elon Musk-stoked dog-token trading frenzy, the coin’s developers launched their DEX with enticing yield incentives for liquidity providers on Tuesday.
Within 24 hours of launching, the protocol had amassed a total value locked (TVL) of more than $1 billion.
On Wednesday, platform reviewer DeFi Safety published a report on ShibaSwap, scoring the protocol at just 3%, far below the 70% level the site considers a pass.
Describing the score as “a devastating fail,” DeFi Safety failed ShibaSwap on all but two of its 22 review criteria, with the protocol scoring 30% for the clarity of information provided in its white paper.
The review’s author is Rex Hygate, the founder of SecuEth and Caliburn Consulting. He highlighted ShibaSwap’s anonymous team, lack of transparency and documentation and pointed to the fact there is no public software repository, development history, or way to test the code.
ShibaSwap is up with a devastating 3% score. If you are looking for a prime example of what absolute negligence looks like in a protocol, look no further than this. Zero Transparency. You are putting your money in a black hole. https://t.co/dUzU0vvCHW @ChrisBlec @ShibArmy #DeFi pic.twitter.com/QG3ykYakdt
— DeFi Safety (@DefiSafety) July 7, 2021
The platform is undergoing an audit by Certik, which has worked with Crypto.com, Ontology and Neo, among others. The audit is ongoing, and no information is yet available.
On Wednesday, Solidity developer Joseph Schiarizzi posted an article warning that ShibaSwap’s staking contract had been under the control of just a single address for most of its first day of operation.
While ShibaSwap has since updated the contract to a multi-signature account requiring six of nine Safe Owners to agree on transactions before they can be executed, Schiarizzi warns that each of the addresses may be under the control of a single entity:
“Multiple of these Safe Owners are new accounts with 0 transactions and no ETH, so they are most likely just place holders for the ShibaSwap devs who can agree easily to call any owner only function on the staking contract.”
Schiarizzi emphasized the risks associated with the staking contract’s migrate function being under the control of a single entity, identifying that the contract owners “can simply deploy a new migrator contract which sends themselves all the LP tokens.”
DeFi Watch analyst Chris Blec shared Schiarizzi’s warnings about ShibaSwap’s security risks to his 22,000 followers and highlighted the DeFi Safety review.
⚠️ Yesterday, it was noticed that all funds in ShibaSwap could be drained by 1 Ethereum account.
ShibaSwap then switched ownership to a new Gnosis multisig with unknown signers & fresh addresses.
The problem: it’s possible to create a multisig and own all the keys yourself. pic.twitter.com/wSN1yOB2Qn
— Chris Blec (@ChrisBlec) July 7, 2021
Updated to include the fact Certik is working on an audit of the platform.