- A vulnerability affecting funds in ETH 2.0 staking pools has been safely patched.
- The bug was identified by StakeWise founder Dmitri Tsumak, who cooperated with rival staking protocols to protect users’ funds.
- Although the exploit has been patched, the affected protocols are still working towards a more permanent fix.
Share this article
Dmitri Tsumak, the founder of the ETH 2.0 staking platform StakeWise, discovered a severe vulnerability affecting ETH staking competitors Rocket Pool and Lido. The exploit has now been patched, with Rocket Pool and Lido each paying Tsumak a $100,000 bug bounty for identifying the issue.
Ethereum Staking Pool Bug Patched
A vulnerability affecting funds in ETH 2.0 staking pools has been safely patched.
Late Monday evening, StakeWise founder Dmitri Tsumak discovered an exploit that would allow node operators to remove funds from ETH 2.0 liquid staking pools. Tsumak initially identified the exploit in the architecture of the soon-to-launch ETH staking protocol Rocket Pool. Under further investigation, the bug was also found to affect Lido, the current biggest ETH 2.0 staking pool on Ethereum, with a total value locked of $4.66 billion.
— StakeWise (@stakewise_io) October 5, 2021
Although the node operators chosen by Rocket Pool and Lido are trusted, the exploit highlights a critical vulnerability in the smart contract architecture governing the protocols. While the bug was live, around 100 ETH of users’ funds were at risk.
After Tsumak reported the bug using an alias, the Rocket Pool team quickly informed Lido that funds on its protocol were also at risk. By the following morning, both protocols had taken measures to ensure the safety of their user’s funds.
The bug was identified just 24 hours before Rocket Pool was due to go live on Ethereum mainnet; the launch has now been postponed.
Rocket Pool and Lido have implemented temporary patches to secure users’ funds, but the problem is not yet fixed completely. Both protocols have chartered a course of action and are currently working toward a more permanent solution to the exploit.
After the incident was resolved, the involved parties took to social media to debrief their respective communities on what had happened. Rocket Pool extended its gratitude to Tsumak for reporting the bug, despite being the founder of the Rocket Pool rival StakeWise.
On Twitter, StakeWise addressed why it had decided to go public with information of the exploit once it had been patched, stating:
“At StakeWise, we believe that even when dealing with our competitors, the more secure we are collectively, the stronger the entire #ETH2 staking ecosystem becomes. To achieve this, we must communicate and watch each other’s backs.”
Both Rocket Pool and Lido have agreed to pay Tsumak $100,000 for identifying the issue, the maximum amount detailed in Lido’s bug bounty program.
While vulnerabilities in DeFi protocols are not uncommon, they are often identified before hackers can exploit them. In August, Samzcsun of Paradigm.xyz detected a $350 million vulnerability in SushiSwap’s MISO smart contracts. The exploit was identified and fixed before hackers could take any funds. The Sushi team paid Samzcsun a bounty of $1 million USDC for his assistance identifying and fixing the bug.
Disclaimer: At the time of writing this feature, the author owned BTC, ETH, and several other cryptocurrencies.
$350 Million SushiSwap Vulnerability Safely Patched
A SushiSwap bug that put over $350 million of Ethereum at risk has been safely patched, according to security researcher samzcsun. Vulnerability Could Have Drained Contracts The security flaw concerns…
Ethereum Layer 2 Promising 100x Gas Cuts Live by November
StarkNet, an Ethereum Layer 2 scaling solution utilizing Zero-Knowledge Rollups, is set to launch in November. Testing shows a 100x to 200x reduction of gas fees for end users. StarkNet…
How to Trade Using the Inverse Head and Shoulders Pattern
In stock or cryptocurrency trading, you may have heard of the term “inverse head and shoulders.” Also known as the “head and shoulders bottom” formation, the inverse head and shoulders chart pattern can…
Ethereum Faces One Obstacle to Return to $4,000
Ethereum has rallied with the rest of the market since the monthly trading session started. Still, ETH must overcome a crucial obstacle to resume its uptrend and re-enter price discovery…