Dmitri Tsumak, co-founder of Ethereum 2.0 Stake Wise, has discovered a vulnerability in the Rocket Pool and Lido protocols that could lead to the theft of user funds.
Rocket Pool and Lido Finance have confirmed the information. The former has delayed its launch, scheduled for last October 6, while the team of the latter has said that around 20,000 Ethers (approximately $71.5 million) were at risk.
Lido Finance had initially said potential losses would not exceed 100 ETH. The developers have stated:
"A critical vulnerability has been submitted to the Lido bug bounty program. Currently the potential impact is low (less than 100 ETH) and the risk of it happening is not high either, as the vulnerability can only be exploited by the currently whitelisted Lido node operators."
Subscribe to our Telegram channel to stay up to date on the latest crypto and blockchain news.
Lido Finance has stressed the node operators are "respectable and ethical companies" that are unlikely to exploit the vulnerability. However, to mitigate the risk, participation limits for these participants will be temporarily limited.
Rocket Pool has announced it will start testing a proposed mitigation method next week.
Both projects have allocated the maximum allowable reward for detecting a bug ($100,000) in the Immunefi service, which shows the severity of the bug.
The vulnerability in question allows a validator or node operator to steal user funds. The community became aware of the potential problem in November 2019.
"The presence of a vulnerability in the code base is a long-term omission," Lido has admitted.