Sharedstake Exploit postmortem Sep 1/2023

Chimera Defi
2 min readSep 1, 2023

--

Attacker addresses — please reach out to chimera_defi@protonmail.com // admin@sharedstake.org with any info

0xBbAc1508f8A505D5383a1E945d63b26D7ed7A414

0x98536DBdC45f48b53612Bfb0A8892B5501E7e9e7

Sharedstake sgETH contract was exploited on Aug 31/2023

Please do not interact with anything using sgETH such as Stake or Rollover on Sharedstake.org & withdraw any remaining funds in the minter or rollover contracts.

If you have vETH2 in the Rollover contract, please go here and connect wallet -> withdraw:
https://etherscan.io/address/0x68a31dfD0c81A411C5adadc8A40225425777466C#writeContract

Due to batching our rollovers and relatively new unaudited nature of the contract, losses were limited but still significant.

In total ~105 Eth was lost.

Root Cause

Improper ownership checks in the sgETH contract
https://etherscan.io/address/0x9e52dB44d62A8c9762FA847Bd2eBa9d0585782d1#readContract

allowed anyone to gain control and infinite mint sgETH.
They could then use the sgETH to withdraw out ETH from the minter contract.

Mitigating steps

In the interim we have
1. Disabled the stake UI on our frontend to prevent other users from risking funds

2. Disabled the rollover UI which uses sgETH and is also at risk

3. Informed community

4. Are taking steps to disable the contracts onchain if possible

5. Taking steps to fully catalog the onchain movements

Actors

2 addresses have been seen exploiting the contract.

Courtesy of Spreek https://twitter.com/spreekaway/status/1697612239929246022?s=20

We are working with whitehats and authorities to track them down. And are looking for any support / hints.

0xBbAc1508f8A505D5383a1E945d63b26D7ed7A414

0x98536DBdC45f48b53612Bfb0A8892B5501E7e9e7

exploit tx: https://etherscan.io/tx/0x0e57d49c17a0df63f3d513a30ed0d49328372acd6cc3deac40316b97e77b9f44

10% of recovered funds go to whitehats / those helping us recover and whistleblowers.
If you have any information please reach out to us on discord or via email to chimera_defi@protonmail.com

We will add more information to his article as it becomes available.

Updates:

--

--