2021-10-06 10:16:26
Key Takeaways
- A vulnerability affecting funds in ETH 2.0 staking pools has been safely patched.
- The bug was identified by StakeWise founder Dmitri Tsumak, who cooperated with rival staking protocols to protect users’ funds.
- Although the exploit has been patched, the affected protocols are still working towards a more permanent fix.
Share this article
Dmitri Tsumak, the founder of the ETH 2.0 staking platform StakeWise, discovered a severe vulnerability affecting ETH staking competitors Rocket Pool and Lido. The exploit has now been patched, with Rocket Pool and Lido each paying Tsumak a $100,000 bug bounty for identifying the issue.
Ethereum Staking Pool Bug Patched
A vulnerability affecting funds in ETH 2.0 staking pools has been safely patched.
Late Monday evening, StakeWise founder Dmitri Tsumak discovered an exploit that would allow node operators to remove funds from ETH 2.0 liquid staking pools. Tsumak initially identified the exploit in the architecture of the soon-to-launch ETH staking protocol Rocket Pool. Under further investigation, the bug was also found to affect Lido, the current biggest ETH 2.0 staking pool on Ethereum, with a total value locked of $4.66 billion.
1/ Last night around 7PM UTC, our founder Dmitri Tsumak (@tsudmi) discovered a severe vulnerability in @Rocket_Pool that could lead to the theft of users’ funds if exploited.
Upon further examination, it became apparent that @LidoFinance‘s architecture was also affected. https://t.co/xlpZMYkFMe
— StakeWise (@stakewise_io) October 5, 2021
Although the node operators chosen by Rocket Pool and Lido are trusted, the exploit highlights a critical vulnerability in the smart contract architecture governing the protocols. While the bug was live, around 100 ETH of users’ funds were at risk.
After Tsumak reported the bug using an alias, the Rocket Pool team quickly informed Lido that funds on its protocol were also at risk. By the following morning, both protocols had taken measures to ensure the safety of their user’s funds.
The bug was identified just 24 hours before Rocket Pool was due to go live on Ethereum mainnet; the launch has now been postponed.
Rocket Pool and Lido have implemented temporary patches to secure users’ funds, but the problem is not yet fixed completely. Both protocols have chartered a course of action and are currently working toward a more permanent solution to the exploit.
After the incident was resolved, the involved parties took to social media to debrief their respective communities on what had happened. Rocket Pool extended its gratitude to Tsumak for reporting the bug, despite being the founder of the Rocket Pool rival StakeWise.
On Twitter, StakeWise addressed why it had decided to go public with information of the exploit once it had been patched, stating:
“At StakeWise, we believe that even when dealing with our competitors, the more secure we are collectively, the stronger the entire #ETH2 staking ecosystem becomes. To achieve this, we must communicate and watch each other’s backs.”
Both Rocket Pool and Lido have agreed to pay Tsumak $100,000 for identifying the issue, the maximum amount detailed in Lido’s bug bounty program.
While vulnerabilities in DeFi protocols are not uncommon, they are often identified before hackers can exploit them. In August, Samzcsun of Paradigm.xyz detected a $350 million vulnerability in SushiSwap’s MISO smart contracts. The exploit was identified and fixed before hackers could take any funds. The Sushi team paid Samzcsun a bounty of $1 million USDC for his assistance identifying and fixing the bug.
Disclaimer: At the time of writing this feature, the author owned BTC, ETH, and several other cryptocurrencies.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
Ethereum Layer 2 Promising 100x Gas Cuts Live by November
StarkNet, an Ethereum Layer 2 scaling solution utilizing Zero-Knowledge Rollups, is set to launch in November. Testing shows a 100x to 200x reduction of gas fees for end users. StarkNet…
How to Trade Using the Inverse Head and Shoulders Pattern
In stock or cryptocurrency trading, you may have heard of the term “inverse head and shoulders.” Also known as the “head and shoulders bottom” formation, the inverse head and shoulders chart pattern can…