Dmitri Tsumak, co-founder of the Ethereum 2.0 Stake Wise staking service, has discovered a vulnerability in the competing Rocket Pool and Lido protocols that could lead to theft of user funds.
The developer has decided to not publicly disclose the details of the bug. Rocket Pool and Lido Finance have confirmed the information. The first has postponed the launch scheduled for October 6, while the second team has said that around 20,000 ETH (about $71.5 million) were at risk.
Initially, Lido Finance had reported potential losses are limited to 100 ETH. The developers said:
“A critical vulnerability has been submitted for consideration to the Lido bounty program. Currently, the potential damage is small (less than 100 ETH), as well as the risk of problems, since the vulnerability can only be exploited by whitelisted node operators.”
Lido Finance has emphasized node operators are “respected and ethical companies” that play an important role in the project. The organization believes they will not take advantage of the vulnerability. However, in order to mitigate the risk, the staking limits for these participants will be temporarily limited.