Sharedstake Exploit postmortem Sep 1/2023
Attacker addresses — please reach out to chimera_defi@protonmail.com // admin@sharedstake.org with any info
0xBbAc1508f8A505D5383a1E945d63b26D7ed7A414
0x98536DBdC45f48b53612Bfb0A8892B5501E7e9e7
Sharedstake sgETH contract was exploited on Aug 31/2023
Please do not interact with anything using sgETH such as Stake or Rollover on Sharedstake.org & withdraw any remaining funds in the minter or rollover contracts.
If you have vETH2 in the Rollover contract, please go here and connect wallet -> withdraw:
https://etherscan.io/address/0x68a31dfD0c81A411C5adadc8A40225425777466C#writeContract
Due to batching our rollovers and relatively new unaudited nature of the contract, losses were limited but still significant.
In total ~105 Eth was lost.
Root Cause
Improper ownership checks in the sgETH contract
https://etherscan.io/address/0x9e52dB44d62A8c9762FA847Bd2eBa9d0585782d1#readContract
allowed anyone to gain control and infinite mint sgETH.
They could then use the sgETH to withdraw out ETH from the minter contract.
Mitigating steps
In the interim we have
1. Disabled the stake UI on our frontend to prevent other users from risking funds
2. Disabled the rollover UI which uses sgETH and is also at risk
3. Informed community
4. Are taking steps to disable the contracts onchain if possible
5. Taking steps to fully catalog the onchain movements
Actors
2 addresses have been seen exploiting the contract.
Courtesy of Spreek https://twitter.com/spreekaway/status/1697612239929246022?s=20
We are working with whitehats and authorities to track them down. And are looking for any support / hints.
0xBbAc1508f8A505D5383a1E945d63b26D7ed7A414
0x98536DBdC45f48b53612Bfb0A8892B5501E7e9e7
exploit tx: https://etherscan.io/tx/0x0e57d49c17a0df63f3d513a30ed0d49328372acd6cc3deac40316b97e77b9f44
- Apply grantRole(admin) on `0xdF6b4B49EbFbcc41a0B204DD75B40d3FA9b1823E` from `0xB710e6d2F092Ac1E5C8b160DaB20f4DA1A982C33`
- Apply grantRole(Minter) on `F0887BA65EE2024EA881D91B74C2450EF19E1557F03BED3EA9F16B037CBE2DC9` from the prev malicious admin
- Mint tokens without collateral to this new minter
- Withdrew ETH buffered in the real minter
- Eth sits in this addr: https://etherscan.io/address/0x1261aed405f2865d55a055561e3ec25c3fe32de0
Please return minus whitehat fee to sharedstake.eth - Mightve been testing our contracts as early as 38 days ago
https://etherscan.io/address/0x34b163629e5c6972eb8b7cf5ef3a72e15a5914a0
10% of recovered funds go to whitehats / those helping us recover and whistleblowers.
If you have any information please reach out to us on discord or via email to chimera_defi@protonmail.com
We will add more information to his article as it becomes available.
Updates:
- In contact with Samczsun, spreek, ogle and other DeFi security advisors
- Community call on discord hosted to gather community feedback / inclusive warroom
- The minter has been paused to prevent any accidental minting of sgETH to prevent any further risk to user funds
https://etherscan.io/tx/0x42d9892a6f82715babd245d5fb76b1acc7ad62b5efef456f9ce64d5ee7e9d507 - Sent message to attacker wallet on-chain
https://etherscan.io/tx/0x8af817dfbb743ab50a43fe24bc5ae615ccea3cc326205d7269c969b589cea725
