Critical Bug in Ethereum 2.0 Staking Pools Safely Patched
The vulnerability put staked Ethereum tokens at risk.
- A vulnerability affecting funds in ETH 2.0 staking pools has been safely patched.
- The bug was identified by StakeWise founder Dmitri Tsumak, who cooperated with rival staking protocols to protect users' funds.
- Although the exploit has been patched, the affected protocols are still working towards a more permanent fix.
Share this article
Dmitri Tsumak, the founder of the ETH 2.0 staking platform StakeWise, discovered a severe vulnerability affecting ETH staking competitors Rocket Pool and Lido. The exploit has now been patched, with Rocket Pool and Lido each paying Tsumak a $100,000 bug bounty for identifying the issue.
Ethereum Staking Pool Bug Patched
A vulnerability affecting funds in ETH 2.0 staking pools has been safely patched.
Late Monday evening, StakeWise founder Dmitri Tsumak discovered an exploit that would allow node operators to remove funds from ETH 2.0 liquid staking pools. Tsumak initially identified the exploit in the architecture of the soon-to-launch ETH staking protocol Rocket Pool. Under further investigation, the bug was also found to affect Lido, the current biggest ETH 2.0 staking pool on Ethereum, with a total value locked of $4.66 billion.
1/ Last night around 7PM UTC, our founder Dmitri Tsumak (@tsudmi) discovered a severe vulnerability in @Rocket_Pool that could lead to the theft of users’ funds if exploited.
Upon further examination, it became apparent that @LidoFinance's architecture was also affected. https://t.co/xlpZMYkFMe
— StakeWise (@stakewise_io) October 5, 2021
Although the node operators chosen by Rocket Pool and Lido are trusted, the exploit highlights a critical vulnerability in the smart contract architecture governing the protocols. While the bug was live, at least 20,000 ETH of users’ funds were at risk.
After Tsumak reported the bug using an alias, the Rocket Pool team quickly informed Lido that funds on its protocol were also at risk. By the following morning, both protocols had taken measures to ensure the safety of their user’s funds.
The bug was identified just 24 hours before Rocket Pool was due to go live on Ethereum mainnet; the launch has now been postponed.
Rocket Pool and Lido have implemented temporary patches to secure users’ funds, but the problem is not yet fixed completely. Both protocols have chartered a course of action and are currently working toward a more permanent solution to the exploit.
After the incident was resolved, the involved parties took to social media to debrief their respective communities on what had happened. Rocket Pool extended its gratitude to Tsumak for reporting the bug, despite being the founder of the Rocket Pool rival StakeWise.
On Twitter, StakeWise addressed why it had decided to go public with information of the exploit once it had been patched, stating:
“At StakeWise, we believe that even when dealing with our competitors, the more secure we are collectively, the stronger the entire #ETH2 staking ecosystem becomes. To achieve this, we must communicate and watch each other’s backs.”
Both Rocket Pool and Lido have agreed to pay Tsumak $100,000 for identifying the issue, the maximum amount detailed in Lido’s bug bounty program.
While vulnerabilities in DeFi protocols are not uncommon, they are often identified before hackers can exploit them. In August, Samzcsun of Paradigm.xyz detected a $350 million vulnerability in SushiSwap’s MISO smart contracts. The exploit was identified and fixed before hackers could take any funds. The Sushi team paid Samzcsun a bounty of $1 million USDC for his assistance identifying and fixing the bug.
Editor’s note: Following a statement from Lido, the article has been updated to clarify that at least 20,000 ETH were at risk.
Disclosure: At the time of writing this feature, the author owned BTC, ETH, and several other cryptocurrencies.