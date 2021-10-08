Critical vulnerability found in Ethereum 2.0 staking protocols

Dmitry Tsumak, co-founder of the Ethereum 2.0 Stake Wise staking service, discovered a vulnerability in the competing Rocket Pool and Lido protocols that could lead to theft of user funds.

The developer refrained from publicly disclosing the details of the bug. Rocket Pool and Lido Finance have confirmed the information. First postponed outlined on October 6 launch, and the second team said that about 20,000 ETH (~ $ 71.5 million) were at risk

Initially, Lido Finance said that potential losses are limited to 100 ETH.

“A critical vulnerability has been submitted for consideration to the Lido bounty program. Currently, the potential damage is small (less than 100 ETH), as well as the risk of problems, since the vulnerability can only be exploited by whitelisted node operators, ”the developers said.

Lido Finance emphasized that the node operators are “respected and ethical companies” that play an important role in the project. The organization believes they will not take advantage of the vulnerability. However, to mitigate the risk, the staking limits for these participants will be temporarily limited.

The Rocket Pool service announced that it will begin testing the proposed mitigation method next week. The developers are “in close contact” with the auditors from Sigma Prime – on October 18th they will test the proposed concept.

Both projects have assigned the maximum allowable reward for detecting a bug ($ 100,000) in the Immunefi service, which indicates its seriousness.

The vulnerability in question allows a validator or node operator to appropriate user funds – this is a flaw in the mechanism for registering the first in the Ethereum 2.0 network. The community took notice of the potential issue back in November 2019.

“The presence of a vulnerability in the codebase is a long-term omission,” Lido admitted.

As a reminder, in August 2021, Paradigm partner Sam Sun identified and helped eliminate a vulnerability in DeFi-the SushiSwap project, which threatened to lose over 109,000 ETH ($ 350 million at that time).

