Lido and Rocket Pool Deploy Temporary Patches for Staking Node Vulnerability

Lido, a staking pool provider for Ethereum 2.0 staking, has successfully patched a security flaw discovered on its platform.The security flaw had caused a scare among Lido’s users, promoting the protocol to delay its launch to get things patched up.

Issues With the Smart Contract Architectures

On Monday, Dmitri Tsumak, the founder of Lido’s competitor StakeWise, announced the discovery of a vulnerability in its staking protocol that would allow node operators to remove funds from ETH 2.0 staking pools. Tsumak had initially identified the exploit in the architecture of Rocket Pool – a third protocol, which is set to launch soon.

After finding out that the protocol would also significantly affect Lido, Tsumak immediately raised the alarm. Lido is currently the largest ETH 2.0 staking pool built on the Ethereum blockchain, with a total value locked at over $4 billion.

Any vulnerabilities to its platform would have been fatal, so Tsumak’s discovery was an important one. Both venues were said to have been suffering from the same issue but in different iterations.

Speaking with industry news sources, Tsumak claimed that he had agreed with Rocket Pool, Lido, and Immunefi – the leading bug bounty protocol for the decentralized finance (DeFi) space – not to include any details about the bug. Rocket Pool and Lido would work on a patch to ensure that everything stays functional going forward.

The bug also had pretty broad ramifications. While Lido had mentioned that “under 100 ETH” was vulnerable, a separate vulnerability disclosure report showed that the number was more than 20,000 ETH.

Off to the Races

For now, Rocket Pool and Lido have implemented temporary patches to ensure the security of users’ funds. But, the problem is far from fixed, so both platforms are still working to get a permanent solution.

They’ve been debriefing their users on social media on developments since the vulnerabilities became public knowledge. Lido assured investors of safety despite its security glitch.

After acknowledging the bug on Monday, Lido proposed a vote to reduce staking limits for all node operators in a bid to reduce the risk posed to its protocol. The company described the bug as “low-impact,” adding that it could only be exploited by the whitelisted node operators.

For its part, Rocket Pool has also delayed its launch. Tsumak had found the vulnerability 24 hours before the platform launched fully, and it is taking steps to rectify things.

The company confirmed yesterday that while the vulnerability was “minimal,” it wouldn’t be taking any chances with customers’ funds. So, it has delayed its launch indefinitely and will announce a new launch date soon.

Rocket Pool also expressed gratitude to Tsumak and the StakeWise team for reporting the bug, despite being a rival to both affected parties.