ETH 2.0 Staking Platform Discovers Multimillion-Dollar Bug in Rivals’ Code

StakeWise is a small fish in the staking pond, but it made its presence felt with a bug report that put rival Rocket Pool’s launch on hold.

AccessTimeIconOct 6, 2021 at 8:14 p.m. UTC
Updated May 11, 2023 at 3:38 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

On Tuesday, the disclosure of a vulnerability from ETH 2.0 staking service StakeWise may have saved millions of dollars’ worth of ETH that were at risk in rival staking protocols Lido and Rocket Pool.

The disclosure came as the Ethereum community prepares for a switch from a proof-of-work consensus to proof-of-stake – the largest and most technically complex conversion of its kind in blockchain history with over $20 billion in staked ETH on the line.

StakeWise’s staff flagged the disclosure on Twitter, noting that the white hat who reported the vulnerability was Dmitri Tsumak, one of the protocol’s co-founders.

The timing is fortuitous, because Rocket Pool was set to launch its mainnet within 24 hours. The project has postponed the launch until the fix is in place.

Tsumak told CoinDesk that he has agreed with Immunefi, Lido and Rocket Pool to refrain from disclosing the exact nature of the bug while the affected platforms work on a patch, but both Lido and Rocket Pool are planning to disburse the maximum allowable Immunefi bounty of $100,000 – indicating a bug of “critical severity,” according to StakeWise co-founder Kirill Kutakov.

Tsumak initially contacted Rocket Pool about the vulnerability, and when it became clear other protocols could have the same bug, he opted to contact the bounty platform Immunefi as well as Lido.

“As soon as I reported to Rocket Pool, we chatted about who else could be affected, and in Lido’s case, they were seeing the same issue in a bit different interpretation,” Tsumak said.

A tweet thread from Lido mentioned that “under 100″ ETH was vulnerable on Tuesday, but a vulnerability disclosure published today said that upward of 20,000 ETH worth $72 million was at risk.

In both cases, the bug allowed validators or node operators to drain depositor funds – a flaw with how validators are registered with ETH 2.0.

Lido did not respond to a request for comment by press time.

“Rocket Pool is glad that its bug bounty program lead to the discovery of a serious exploit that affected multiple staking providers. Inline with responsible disclosure we worked with our bug bounty program (Immunefi) to alert the other teams quickly. We have extended our warmest thanks to Dmitri for reporting the exploit,” said Rocket Pool manager Darren Langley in a statement to CoinDesk.

Additionally, the Rocket Pool community is planning a non-fungible token (NFT) drop for the StakeWise community to commemorate the event, according to conversations on the Discord messaging app.

Kutakov said that the decision to notify the platform’s rivals was an easy one.

“We wouldn’t wish this vulnerability on our competitors, and that’s why we went with the amicable route and let them know about it before their launch,” he said.

Security review

StakeWise was able to identify the bug because it was working on decentralizing its own platform’s v2, which will include a multi-validator architecture. StakeWise allows for interest-bearing ETH deposits but uses a single-node system.

The project believes that it has has been “flying under the radar” for some time because of that centralization. Rocket Pool’s RPL token now sits at a $353.5 million market capitalization, and Lido’s LDO is at $103 million. StakeWise’s SWISE, meanwhile, has a $4 million market cap.

This bug report is just another instance of Tsumak’s open-source ethos, Kutakov said.

“Dmitri has been known in the StakeWise community for putting out things that advance the space,” Kutakov said of his colleague.

He pointed toward Tsumak’s Horcrux, an open-source tool that allows projects to decentralize a withdrawal key.

While StakeWise acknowledged that the bug report is something of a marketing coup, its end goal is to ensure a healthy launch for ETH 2.0.

“It is great to generate awareness, but we see this space as a collaborative effort with everyone working to make Ethereum’s proof-of-stake a reality,” Kutakov said.

StakeWise v2 is now under audit, with a target launch date in November.

UPDATE (Oct. 7, 15:36 UTC): Corrects Dmitri Tsumak’s name throughout; adds comment from Rocket Pool.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Andrew Thurman

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.