Home News Ethereum 2.0 staking platform discovers a critical vulnerability

Ethereum 2.0 staking platform discovers a critical vulnerability


Dmitri Tsumak, a co-founder of the Ethereum 2.0 Stake Wise betting service, discovered a vulnerability in the competing Rocket Pool and Lido protocols that could lead to the theft of user funds.

Thus, the developer refrained from publicly disclosing the details of the bug. Rocket Pool and Lido Finance confirmed the information. Moreover, the first postponed the launch scheduled for October 6. And the team of the second said that about 20,000 ETH (~$72 million) were at risk

Initially, Lido Finance reported that potential losses have a limit of 100 ETH.

Respected and ethical companies

“A critical vulnerability has been submitted for consideration to the Lido bounty program. Currently, the potential damage is small (less than 100 ETH); as well as the risk of problems; since only node operators on the white list can use the vulnerability”. The developers said.

Lido Finance stressed that node operators are “respected and ethical companies” that play an important role in the project. The organization believes that they will not take advantage of the vulnerability. However, to reduce the risk, the staking limits for these participants will be temporarily limited.

The Rocket Pool service announced that it will start testing the proposed method of eliminating the vulnerability next week. The developers are “in close contact” with the auditors from Sigma Prime. On October 18 they will check the proposed concept.

The maximum allowable reward

In addition, both projects have assigned the maximum allowable reward for detecting a bug in the Immunefi service ($100,000), which indicates its severity.

The vulnerability in question allows the validator or the node operator to assign user funds – this is a flaw in the mechanism for registering the first in the Ethereum 2.0 network. The community drew attention to a potential problem back in November 2019.

“The presence of a vulnerability in the codebase is a long-term omission,” admitted Lido.

Recall that in August 2021, Paradigm partner Sam Sun identified and helped eliminate a vulnerability in the SushiSwap DeFi project, which threatened to lose over 109,000 ETH ($350 million at that time).

Previous articleSri Lankan authorities are studying blockchain to attract investment
Next articleSEC approves ETF from Volt Equity on shares of Bitcoin-centric companies