Dear SaucerSwap Community,
As part of our ongoing commitment to transparency and user safety, we want to provide important information about the SaucerSwap WHBAR contract and its intended use.
The SaucerSwap WHBAR contract was specifically designed and deployed as an internal protocol component for SaucerSwap operations. While it has functioned reliably within our ecosystem since launch, we want to clarify its scope and important limitations for the broader community.
Key Points
Within SaucerSwap
Fully Functional — All WHBAR functionality within the SaucerSwap protocol remains secure and operates as intended. Users can continue to swap, provide liquidity, and interact with WHBAR through our interface without any concerns.
Ecosystem Context
Due to SaucerSwap’s position as a leading DEX on Hedera, our WHBAR contract has become widely adopted across the ecosystem. The contract was originally engineered exclusively for SaucerSwap’s internal mechanisms, where our specific safeguards ensure secure operation.
We recognize and appreciate the many projects that have successfully integrated with our WHBAR implementation. These projects have often implemented their own protective measures (such as WhbarHelper contracts) to ensure safe interactions. It’s important to note that without these protective measures, direct contract interactions can expose user funds to risk.
Understanding the Risk
For funds to be at risk, specific conditions must exist simultaneously:
- An account must have an open WHBAR allowance granted outside of an atomic transaction
- The account must be actively holding WHBAR tokens
- No protective mechanisms (like those used by SaucerSwap or WhbarHelper contracts) are in place
Within SaucerSwap and properly integrated third-party applications, these conditions are prevented through atomic bundling of operations. However, direct contract interactions without such safeguards can create these risk conditions.
This notice aims to help developers understand the importance of proper safety measures when working with the current implementation as the ecosystem evolves toward standardization.
Recent Events
We are aware of recent discussions regarding WHBAR contract interactions. Direct usage of the WHBAR contract by accounts which met the aforementioned risk conditions have exposed themselves to loss of funds. While we continue our investigation, we can confirm that the vulnerability described in this notice has existed since a 2023 network update.
Initial analysis suggests the impact is limited to a small number of accounts that directly interacted with the contract without proper safeguards. We are conducting a thorough review to determine the full scope and will provide updates as appropriate. Throughout this period, SaucerSwap users and properly integrated protocols have remained unaffected due to the protective measures in place.
For any developers who may have implemented direct contract interactions: our documentation has always specified the correct atomic bundling pattern required for safe usage. We encourage anyone who believes they may have been affected to contact us directly so we can assist in understanding what occurred.
Action Required?
SaucerSwap: No Action Required by Users
SaucerSwap retail users do not need to take any immediate action. Your funds and positions within SaucerSwap remain secure and unaffected.
Bonzo Finance: No Action Required for Retail Users
All funds and positions within the Bonzo Finance protocol remain secure and unaffected. Retail user accounts utilizing Bonzo Finance do not need to take any immediate action.
Bonzo Finance: Action May Be Required for Liquidation Bot Operators / Developers
If your developer accounts or contracts directly manages a balance of wHBAR issued by SaucerSwap’s wHBAR (0.0.1456986) contract, it’s strongly recommended to revoke any open allowances, if they exist. If not already implemented, please review and implement best practices for wHBAR usage throughout your liquidation bot operations. Not following best practices has the potential to result in loss of wHBAR funds.
Looking Forward
To better align with ecosystem growth and standardization, SaucerSwap is committed to supporting the official Hashgraph ERC20 WHBAR standard. We will keep the community informed as ecosystem standards develop.
What This Means
- Users trading, providing liquidity, or staking on SaucerSwap: No risk, no action needed
- Projects using WhbarHelper or similar protections: Currently safe, no action needed
- Direct contract integrations without protections: Immediate risk — migrate to WhbarHelper implementation immediately or discontinue use
- Users interacting with integrated protocols: Check with those protocols about their safety measures
- New projects: Do not integrate directly with SaucerSwap WHBAR — use WhbarHelper patterns or wait for ecosystem standards
For Developers
We advise all developers and integration partners to:
- New integrations: Do not use the SaucerSwap WHBAR contract directly — await the Hashgraph standard or implement WhbarHelper patterns if absolutely necessary
- Existing integrations: Verify your safeguards are properly implemented or migrate to WhbarHelper immediately — contact our team if you need assistance
We appreciate the patience and ingenuity of our ecosystem partners who have built on top of our infrastructure, and we remain committed to supporting the ecosystem’s evolution.
If you have any questions or concerns, please reach out to our team through our official channels.
Thank you for your continued trust and support.
The SaucerSwap Labs Team
