main socket
- A vulnerability affecting funds in ETH 2.0 staking pools has been safely fixed.
- The bug was identified by StakeWise founder Dmitri Tsumak, who has teamed up with rival staking protocols to protect users’ funds.
- Although the vulnerability has been patched, the affected protocols are still working towards a more permanent fix.
Share this article
Dimitri Tsumak, founder of the ETH 2.0 staking platform StakeWise, has discovered a critical vulnerability affecting ETH staking competitors Rocket Pool and Lido. The vulnerability has now been patched, with Rocket Pool and Lido Tsumak paying a $100,000 bug bounty for fixing the issue.
Ethereum Staking Pool Bug Patched
A vulnerability affecting funds in ETH 2.0 staking pools has been safely fixed.
Late on Monday evening, StakeWise founder Dmitri Tsumak discovered a vulnerability that would allow contract operators to remove funds from ETH 2.0 liquid storage pools. Tsumak initially identified the vulnerability in the ETH Staking Rocket Pool protocol architecture soon. Under further investigation, the bug was also found to affect Lido, the largest ETH 2.0-exclusive pool on Ethereum, with a total value of $4.66 billion.
1/ Last night around 7pm UTC, our founder Dmitriy Tsumak (Tweet embed) discovered a severe weakness in Tweet embed It can lead to users’ money being stolen if it is exploited.
After further examination, it became clear that Tweet embedArchitecture was also affected. https://t.co/xlpZMYkFMe
– StakeWise (@stakewise_io) October 5, 2021
Although the nodes operators chosen by Rocket Pool and Lido are reliable, the exploit highlights a serious vulnerability in the smart contract architecture that governs the protocols. While the error was live, around 100 ETH of user funds were at risk.
After Tsumak reported the error using an alias, the Rocket Pool Lido team quickly reported that the funds in its protocol were also at risk. By the next morning, both protocols had taken measures to ensure the safety of users’ funds.
The error was identified only 24 hours before the launch of the Rocket Pool on the Ethereum mainnet; The launch has been postponed.
Rocket Pool and Lido have implemented temporary patches to secure users’ funds, but the issue has yet to be completely resolved. Both protocols have charted a course of action and are currently working towards a more permanent solution to the exploit.
After the incident was resolved, the concerned parties took to social media to extract information from their local communities about what had happened. Rocket Pool extended her thanks To Tsumak to report the bug, despite being the founder of the Rocket Pool StakeWise competitor.
On Twitter, StakeWise directed Why did she decide to post information about the exploit once it had been patched, saying:
“At StakeWise, we believe that even when dealing with our competitors, the more secure we are collectively, the stronger the #ETH2 staking ecosystem will be. To make that happen, we must communicate and watch each other emerge.”
Rocket Pool and Lido agreed to pay Tsumak $100,000 to fix the problem, which is the maximum amount detailed in Lido’s bug bounty program.
Although vulnerabilities in DeFi protocols are not uncommon, they are often identified before hackers can exploit them. In August, Paradigm.xyz’s Samzcsun discovered a $350 million vulnerability in SushiSwap’s MISO smart contracts. The vulnerability was identified and fixed before the hackers could take any money. sushi team Pay Samzcsun has a $1 million reward for his assistance in identifying and fixing the error.
Disclaimer: At the time of writing this feature, the author owns BTC, ETH, and many other cryptocurrencies.
Share this article