ETH 2.0 Staking Platform Discovers Multimillion-Dollar Bug in Rivals’ Code

On Tuesday, a vulnerability disclosure from ETH 2.0 staking service StakeWise may have saved millions of dollars worth of ETH at risk in rival staking protocols Lido and Rocket Pool.

The disclosure comes as the Ethereum community prepares for a monumental switch from proof-of-work consensus to proof-of-stake – easily the largest and most technically complex conversion of its kind in blockchain history with over $20 billion in staked ETH on the line.

The StakeWise team flagged the disclosure on Twitter, noting that the whitehat who reported the vulnerability was protocol co-founder Dmitri Tsuma.

1/ Last night around 7PM UTC, our founder Dmitri Tsumak (@tsudmi) discovered a severe vulnerability in @Rocket_Pool that could lead to the theft of users’ funds if exploited.

Upon further examination, it became apparent that @LidoFinance‘s architecture was also affected.

— StakeWise (@stakewise_io) October 5, 2021

The timing is especially fortuitous, as Rocket Pool was set to launch on mainnet within 24 hours. Currently, the project has postponed its launch until the fix is in place.

Tsuma told CoinDesk that he’s agreed with the Lido, Immunefi and Rocket Pool teams to refrain from disclosing the exact nature of the bug while affected teams work on a patch, but both Lido and Rocket Pool are planning to disburse the maximum allowable Immunefi bounty of $100,000 – indicating a bug of “critical severity,” per StakeWise co-founder Kirill Kutakov.

Tsuma initially contacted Rocket Pool with the vulnerability, and when it became clear other protocols could have the same bug he opted to contact the bounty platform Immunefi as well as Lido.

“As soon as I reported to Rocket Pool, we chatted about who else could be affected, and in Lido’s case they were seeing the same issue in a bit different interpretation,” said Tsuma.

A tweet thread from Lido mentioned that “under 100″ ETH was vulnerable on Tuesday, but a vulnerability disclosure published today said that upwards of 20,000 ETH worth $72 million was at risk.

A critical vulnerability has been submitted to the Lido bug bounty program.

Currently the potential impact is low (less than 100 ETH) and the risk of it happening is not high either, as the vulnerability can only be exploited by the currently whitelisted Lido node operators.

— Lido (@LidoFinance) October 5, 2021

In both cases, the bug allowed validators or node operators to drain depositor funds – a flaw with how validators are registered with ETH 2.0.

Neither Lido or Rocket Pool responded to a request for comment by press time, but the Rocket Pool community is currently planning a non-fungible token (NFT) drop for the StakeWise community to commemorate the event, per Discord conversations.

Kutakov said that the decision to notify their rivals was an easy one.

“We wouldn’t wish this vulnerability on our competitors, and that’s why we went with the amicable route and let them know about it before their launch,” said Kutakov.

Security review

Ironically, the reason why StakeWise was able to identify the bug is because they were working on decentralizing their own platform’s v2, which will include a multi-validator architecture. StakeWise currently allows for interest-bearing ETH deposits but uses a single-node system.

The team believes that StakeWise has been “flying under the radar” due to that centralization for some time. Rocket Pool’s RPL token currently sits at a $353.5 million market capitalization, and Lido’s LDO is at $103 million – StakeWise’s SWISE, meanwhile, has only captured a $4 million market cap.

This bug report is just another instance of Tsuma’s open-source ethos, says Kutakov.

“Dmitri has been known in the StakeWise community for putting out things that advance the space,” Kutakov said of his colleague.

He pointed towards Tsuma’s Horcrux, an open-source tool that allows teams to decentralize a withdrawal key.

While the team acknowledged that the bug report is something of a marketing coup, their end goal is to ensure a healthy launch for ETH 2.0.

“It is great to generate awareness, but we see this space as a collaborative effort with everyone working to make Ethereum’s proof-of-stake a reality.”

StakeWise v2 is currently under audit, with a target launch in November.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: