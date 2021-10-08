Dmitry Tsumak, co-founder of the Ethereum 2.0 Stake Wise staking service, discovered a vulnerability in the competing Rocket Pool and Lido protocols that could lead to theft of user funds.

1 / Last night around 7PM UTC, our founder Dmitri Tsumak (@tsudmi) discovered a severe vulnerability in @Rocket_Pool that could lead to the theft of users’ funds if exploited. Upon further examination, it became apparent that @LidoFinance‘s architecture was also affected. https://t.co/xlpZMYkFMe – StakeWise (@stakewise_io) October 5, 2021

The developer refrained from publicly disclosing the details of the bug. Rocket Pool and Lido Finance have confirmed the information. First postponed outlined on October 6 launch, and the second team said that about 20,000 ETH (~ $ 71.5 million) were at risk

Initially, Lido Finance said that potential losses are limited to 100 ETH.

“A critical vulnerability has been submitted for consideration to the Lido bounty program. Currently, the potential damage is small (less than 100 ETH), as well as the risk of problems, since the vulnerability can only be exploited by whitelisted node operators, ”the developers said.

Lido Finance emphasized that the node operators are “respected and ethical companies” that play an important role in the project. The organization believes they will not take advantage of the vulnerability. However, to mitigate the risk, the staking limits for these participants will be temporarily limited.

The Rocket Pool service announced that it will begin testing the proposed mitigation method next week. The developers are “in close contact” with the auditors from Sigma Prime – on October 18th they will test the proposed concept.

Internal testing of our proof of concept fix for the raised exploit will begin next week. We have been in close communication with our auditors @sigp_io who will be confirming the fix from 18th Oct. We will make sure our awesome community are kept up to date as things develop. – Rocket Pool (@Rocket_Pool) October 8, 2021

Both projects have assigned the maximum allowable reward for detecting a bug ($ 100,000) in the Immunefi service, which indicates its seriousness.

The vulnerability in question allows a validator or node operator to appropriate user funds – this is a flaw in the mechanism for registering the first in the Ethereum 2.0 network. The community took notice of the potential issue back in November 2019.

“The presence of a vulnerability in the codebase is a long-term omission,” Lido admitted.

As a reminder, in August 2021, Paradigm partner Sam Sun identified and helped eliminate a vulnerability in DeFi-the SushiSwap project, which threatened to lose over 109,000 ETH ($ 350 million at that time).

