Circuit breaker on price deviation

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-057 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No circuit breaker on price deviation documented in Kashi contracts. The Nov-2022 exploit proceeded without any circuit breaker engaging despite large price discrepancy between cached and updated exchangeRate. KashiPairMediumRiskV1 ABI shows no pause, circuit-break, or deviation-halt function. Chainlink feeds have their own deviation threshold (0.5%–2%), but KashiPair does not implement a protocol-level halt when price moves sharply.

Sources #

URL
BlockSec: Kashi KashiPairMediumRiskV1 logic bugBlockSec Nov 2022 analysis — exploit succeeded without circuit breaker; large exchangeRate discrepancy exploitedretrieved 2026-05-17
Etherscan
KashiPairMediumRiskV1 EtherscanKashiPairMediumRiskV1 ABI — no pause() or circuit-breaker function visibleretrieved 2026-05-17

Methodology #

Determine whether the protocol halts or reverts if the oracle-reported price deviates by more than X% from a reference within Y blocks.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-057 score red collected_at 2026-05-16 19:50:37