Ignored bounty disclosure

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RouteProcessor2 exploit (April 2023): HYDN security team identified the vulnerability during incident response and helped Sushi execute a partial rescue. No evidence of a prior disclosure that was known to the team and ignored before the exploit. The exploit occurred within hours of vulnerability discovery. Kashi 2022 exploit: stale oracle reading — no evidence of a prior ignored disclosure found in available sources. No other post-mortem evidence of ignored bounty disclosure.

Sources #

URL
RouteProcessor2 Post Mortem — SushiRP2 post-mortem — HYDN identified vulnerability, Sushi collaborated on rescue; no prior ignored disclosure indicatedretrieved 2026-05-17
URL
BlockSec Kashi KashiPairMediumRiskV1 exploit analysisBlockSec Kashi exploit analysis — stale oracle pattern, no prior disclosure evidenceretrieved 2026-05-17

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-008 score green collected_at 2026-05-16 19:50:37