defirisk.co
rubric v1.7.0

Rescue/emergencyWithdraw without timelock

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-041 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core V2/V3 AMM contracts (factory, pairs/pools, routers) have no emergencyWithdraw or admin-callable rescue function — they are non-upgradeable and non-pauseable. BentoBox owner can change yield strategy with a 2-week hardcoded delay; owner cannot directly drain user deposits (share-based accounting prevents this per BentoBox source). MasterChef has an emergencyWithdraw callable by any user (not admin-rescue). No direct admin drain path found for the core protocol. Scored yellow: BentoBox strategy setting is admin-controlled without a formal TimelockController, representing partial exposure.

Sources #

  • URL
    RouteProcessor2 Post Mortem — SushiSushiSwap RouteProcessor2 post-mortem — 'contract was non-upgradeable, could not be paused'retrieved 2026-05-17
  • Docs
    BentoBoxV1 — EtherscanBentoBox source via Etherscan — owner limited to setStrategy (2-week delay) and setStrategyTargetPercentage; no drain function; share accounting prevents direct drainretrieved 2026-05-17

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-041 score yellow collected_at 2026-05-16 19:50:37