A security flaw affecting funds in ETH 2.0 staking pools has been patched. The bug was discovered by Dmitri Tsumak, founder of StakeWise, who collaborated with rival staking protocols to safeguard users’ funds.
Dmitri Tsumak, the founder of the ETH 2.0 staking platform – StakeWise, discovered a critical vulnerability affecting Rocket Pool and Lido, two ETH staking competitors. The exploit has been patched, and Rocket Pool and Lido have each paid Tsumak $100,000 for identifying the vulnerability.
Dmitri Tsumak, the founder of StakeWise, discovered an exploit late Monday evening that would allow node operators to withdraw funds from ETH 2.0 liquid staking pools. Tsumak discovered the exploit in the architecture of Rocket Pool, the soon-to-be-launched ETH staking protocol. Further investigation revealed that the bug also affects Lido, the world’s largest ETH 2.0 staking pool, with a total value locked of $4.66 billion.
Although Rocket Pool and Lido have chosen trustworthy node operators, the exploit demonstrates a critical vulnerability in the smart contract architecture that governs the protocols. Approximately 100 ETH of users’ funds were at risk while the bug was active.
Following Tsumak’s alias report of the bug, the Rocket Pool team quickly notified Lido that funds on its protocol were also at risk. By the following morning, both protocols had implemented safeguards to protect their users’ funds. The bug was discovered just 24 hours before Rocket Pool was scheduled to launch on the Ethereum main net; the launch has been delayed.
While Rocket Pool and Lido have implemented temporary fixes to protect users’ funds, the issue has not been resolved completely. Both protocols have mapped out a course of action and are currently working on a more permanent fix for the exploit.
Following the resolution of the incident, the parties involved took to social media to brief their respective communities on what had occurred. Rocket Pool expressed gratitude to Tsumak for reporting the bug, despite the fact that Tsumak is the founder of Rocket Pool’s competitor StakeWise. StackWise explained on Twitter why it chose to make information about the exploit public after it was patched:
“At StakeWise, we believe that even when dealing with our competitors, the more secure we are collectively, the stronger the entire #ETH2 staking ecosystem becomes. To achieve this, we must communicate and watch each other’s backs.”
Both Rocket Pool and Lido have agreed to compensate Tsumak $100,000 for identifying the vulnerability, the maximum amount allowed under Lido’s bug bounty program.
While vulnerabilities in Defi protocols are not uncommon, they are frequently discovered prior to being exploited by hackers. Samzcsun of Paradigm.xyz discovered a $350 million security flaw in SushiSwap’s MISO smart contracts in August. Before hackers could steal any funds, the exploit was identified and fixed. The Sushi team awarded Samzcsun a $1 million USDC bounty for assisting in identifying and resolving the bug.
Also Read: MoneyGram To Settle USDC Transactions Using The Stellar Blockchain
Wallets