ETH 2.0 Staking Platform Discovers Multimillion-Dollar Bug in Rivals’ Code

On Tuesday, the disclosure of a vulnerability from ETH 2.0 staking service StakeWise may have saved millions of dollars’ worth of ETH that were at risk in rival staking protocols Lido and Rocket Pool.

The disclosure came as the Ethereum community prepares for a switch from a proof-of-work consensus to proof-of-stake – the largest and most technically complex conversion of its kind in blockchain history with over $20 billion in staked ETH on the line.

StakeWise’s staff flagged the disclosure on Twitter, noting that the white hat who reported the vulnerability was Dmitri Tsumak, one of the protocol’s co-founders.

The timing is fortuitous, because Rocket Pool was set to launch its mainnet within 24 hours. The project has postponed the launch until the fix is in place.

Tsumak told CoinDesk that he has agreed with Immunefi, Lido and Rocket Pool to refrain from disclosing the exact nature of the bug while the affected platforms work on a patch, but both Lido and Rocket Pool are planning to disburse the maximum allowable Immunefi bounty of $100,000 – indicating a bug of “critical severity,” according to StakeWise co-founder Kirill Kutakov.

Tsumak initially contacted Rocket Pool about the vulnerability, and when it became clear other protocols could have the same bug, he opted to contact the bounty platform Immunefi as well as Lido.

“As soon as I reported to Rocket Pool, we chatted about who else could be affected, and in Lido’s case, they were seeing the same issue in a bit different interpretation,” Tsumak said.

A tweet thread from Lido mentioned that “under 100″ ETH was vulnerable on Tuesday, but a vulnerability disclosure published today said that upward of 20,000 ETH worth $72 million was at risk.

In both cases, the bug allowed validators or node operators to drain depositor funds – a flaw with how validators are registered with ETH 2.0.

Lido did not respond to a request for comment by press time.

“Rocket Pool is glad that its bug bounty program lead to the discovery of a serious exploit that affected multiple staking providers. Inline with responsible disclosure we worked with our bug bounty program (Immunefi) to alert the other teams quickly. We have extended our warmest thanks to Dmitri for reporting the exploit,” said Rocket Pool manager Darren Langley in a statement to CoinDesk.

Additionally, the Rocket Pool community is planning a non-fungible token (NFT) drop for the StakeWise community to commemorate the event, according to conversations on the Discord messaging app.

Kutakov said that the decision to notify the platform’s rivals was an easy one.

“We wouldn’t wish this vulnerability on our competitors, and that’s why we went with the amicable route and let them know about it before their launch,” he said.

Security review

StakeWise was able to identify the bug because it was working on decentralizing its own platform’s v2, which will include a multi-validator architecture. StakeWise allows for interest-bearing ETH deposits but uses a single-node system.

The project believes that it has has been “flying under the radar” for some time because of that centralization. Rocket Pool’s RPL token now sits at a $353.5 million market capitalization, and Lido’s LDO is at $103 million. StakeWise’s SWISE, meanwhile, has a $4 million market cap.

This bug report is just another instance of Tsumak’s open-source ethos, Kutakov said.

“Dmitri has been known in the StakeWise community for putting out things that advance the space,” Kutakov said of his colleague.

He pointed toward Tsumak’s Horcrux, an open-source tool that allows projects to decentralize a withdrawal key.

While StakeWise acknowledged that the bug report is something of a marketing coup, its end goal is to ensure a healthy launch for ETH 2.0.

“It is great to generate awareness, but we see this space as a collaborative effort with everyone working to make Ethereum’s proof-of-stake a reality,” Kutakov said.

StakeWise v2 is now under audit, with a target launch date in November.

UPDATE (Oct. 7, 15:36 UTC): Corrects Dmitri Tsumak’s name throughout; adds comment from Rocket Pool.