Critical vulnerability found in Ethereum 2.0 staking protocols
StakeWise co-founder Dmitri Tsumak of the Ethereum 2.0 staking service Stake Wise discovered a vulnerability in competing protocols Rocket Pool and Lido that could lead to the theft of users’ funds.
1/ Last night around 7PM UTC, our founder Dmitri Tsumak (@tsudmi) discovered a severe vulnerability in @Rocket_Pool that could lead to the theft of users’ funds if exploited.
Upon further examination, it became apparent that @LidoFinance‘s architecture was also affected. https://t.co/xlpZMYkFMe
— StakeWise (@stakewise_io) October 5, 2021
The developer refrained from publicly disclosing details of the bug. Rocket Pool and Lido Finance confirmed the information. The former postponed the planned launch for October 6, and the team of the latter said that around 20,000 ETH (~$71.5 million) were at risk.
Initially, Lido Finance said that potential losses were limited to 100 ETH.
«The critical vulnerability was submitted for consideration to Lido’s bug bounty program. At present, the potential damage is small (less than 100 ETH), as is the risk of problems, since the vulnerability can be exploited only by node operators whitelisted», — the developers said.
Lido Finance stressed that node operators are “reputable and ethical companies” who play an important role in the project. The organization says they will not exploit the vulnerability. However, to reduce risk, staking limits for these participants will be temporarily tightened.
Rocket Pool said it would begin testing the proposed method to fix the vulnerability next week. The developers are in close contact with auditors from Sigma Prime — on October 18 they will verify the proposed concept.
Internal testing of our proof of concept fix for the raised exploit will begin next week. We have been in close communication with our auditors @sigp_io who will be confirming the fix from 18th Oct.
We will make sure our awesome community are kept up to date as things develop.
— Rocket Pool (@Rocket_Pool) October 8, 2021
Both projects set Immunefi’s maximum bounty for bug discovery at $100,000, underscoring the seriousness of the matter.
The vulnerability could allow validators or node operators to seize users’ funds — a flaw in the mechanism for registering first within the Ethereum 2.0 network. The community drew attention to the potential issue as early as November 2019.
«The presence of a vulnerability in the codebase is a long-term oversight», — acknowledged by Lido.
A Lido Finance spokesperson told ForkLog that developers “closed the vulnerability temporarily with a configuration” and are creating a permanent solution. He did not rule out that the project would turn to auditors from Sigma Prime.
In the blog of Lido Finance, it is also noted that the risk of exploiting the vulnerability was assessed as low.
Back in August 2021, Paradigm partner Sam San identified and helped fix a vulnerability in the DeFi-project SushiSwap, which threatened the loss of over 109,000 ETH ($350 million at the time).
Follow ForkLog news on VK.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!