link.png

ID:

rocketpool-1121

Date:

Status:

Incident Count:

October 5, 2021

Near-Miss

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

200,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Dapp

Dexes

Near-Miss

Extended Method:

Front running

info.png

Days in Operation:

1931

(5.29 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Whitehat Dmitri Tsumak, founder of StakeWise, submitted a critical vulnerability on October 5th that affected the RocketPool and Lido Finance staking platforms. The vulnerability allowed for the node operator to steal user deposits. The payout for the whitehat was the maximum amount for critical bugs from both projects ($100,000 from each project), resulting in a total payout of $200,000.

The whitehat first disclosed the vulnerability in RocketPool, but after checking another staking service, he noticed the same issue in Lido Finance and submitted another bug report through Immunefi.

An attacker waits for the 32 ETH to be submitted from the pool to the deposit contract for one of the validators approved in the beginning. When this happens, the malicious node operator frontruns the deposit with previously prepared deposit data with minimal needed deposit value for the same validator bls key by calling deposit() function on the deposit contract.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.