Shido‘s layer-1 blockchain lost 94% of its token value in just 30 minutes after a vulnerability in its Ethereum-based staking contract.
A blockchain security firm called PeckShield drew attention to this drop with a post on February 29th. In another post, it was stated that an attacker transferred the blockchain’s Ethereum-based staking contract to another address. The new owner added a hidden function to upgrade the contract and withdraw the staked tokens.
Hi @ShidoGlobal There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function. This hidden function is then called to withdraw all 4,353,473,223.864904 $SHIDO.
Here are related txs:
– owner… https://t.co/TZ6oMDGwMG pic.twitter.com/VGZtyg9PEf— PeckShield Inc. (@peckshield) February 29, 2024
PeckShield announced that the attacker withdrew 4.3 billion Shido tokens, almost half of the total token supply in circulation according to CoinGecko data.
Before the drop, these tokens were worth about $35 million.
In a post, an on-chain researcher nicknamed ZachXBT stated that he found the attacker’s address and that this address’s cryptocurrencies were first bridged through Layerswap and then transferred from the Arbitrum blockchain.
So the address was funded via Across on Arbitrum and that was funded via Layerswap by this person’s ENS.
I think they were hacked as well though bc their assets were suddenly transferred before funding the exploiter. pic.twitter.com/6Da2ybKuFY
— ZachXBT (@zachxbt) February 29, 2024
According to ZachXBT, the wallet funding the attacker was discovered. However, he also stated that the owner’s assets were transferred suddenly “before the attacker”.
Shido is a layer-1 proof-of-stake blockchain project that has yet to launch its main network. A post on February 24th stated that the mainnet launch would be announced next week.
SHIDO is an Ethereum-based ERC-20 token that can be staked to earn an 8% annual return according to the project’s website. Shido did not yet respond to a request about the contract loophole.
Last year, over 600 crypto-related hacks resulted in a loss of $2.1 billion, representing a nearly 30% decrease compared to 2022. In January of this year, $182.5 million was lost in 30 attacks, according to PeckShield.
February could also be a big month for those exploiting flaws; $290 million was stolen from PlayDapp, and several million more were lost in various wallet breaches and fraud cases.
You can freely share your thoughts and comments about the topic in the comment section. Additionally, please don’t forget to follow us on our Telegram ,YouTube and Twitter channels for the latest news and updates instantly.