Critical vulnerability discovered in Ethereum 2.0 stacking protocols
The co-founder of Ethereum 2.0 staking service Stake Wise, Dmitry Tsumak, has discovered a vulnerability in rival protocols Rocket Pool and Lido that could lead to the theft of user funds.
1/ Last night around 7PM UTC, our founder Dmitri Tsumak (@tsudmi) discovered a severe vulnerability in @Rocket_Pool that could lead to the theft of users’ funds if exploited. Upon further examination, it became apparent that @LidoFinance's architecture was also affected.
The developer has refrained from publicly disclosing details of the bug. Rocket Pool and Lido Finance confirmed the information. The former postponed its scheduled launch on October 6, while the team at the latter said that about 20,000 ETH (~$71.5 million) were at risk.
Initially, Lido Finance said the potential loss was limited to 100 ETH.
"The critical vulnerability has been submitted to Lido's bounty program for review. At present, the potential loss is low (less than 100 ETH), as is the risk of problems, as only whitelisted node operators can exploit the vulnerability," the developers said.
Lido Finance stressed that node operators are "respected and ethical companies" that play an important role in the project. The organisation believes that they will not take advantage of the vulnerability. However, to mitigate the risk, steaking limits for these participants will be temporarily restricted.
The Rocket Pool service has said that it will begin testing a proposed fix for the vulnerability next week. The developers are "in close contact" with auditors from Sigma Prime, who will test the proposed concept on 18 October.
Internal testing of our proof of concept fix for the raised exploit will begin next week. We have been in close communication with our auditors @sigp_io who will be confirming the fix from 18th Oct. We will make sure our awesome community are kept up to date as things develop.
Both projects have set a maximum allowable reward in the Immunefi service for detecting the bug ($100,000), indicating its seriousness.
The vulnerability in question allows validators or node operators to misappropriate user funds, a flaw in the registration mechanism of the former in the Ethereum 2.0 network. The community drew attention to the potential problem back in November 2019.
Recall that in August 2021, Paradigm partner Sam Sun identified and helped fix a vulnerability in DeFi project SushiSwap that threatened to lose over 109,000 ETH ($350 million at the time).