Shido Token Plummets 85% Following Exploit on Ethereum Staking Contract
The token for the layer-1 blockchain Shido has plunged 85% after the project’s Ethereum-based staking contract fell victim to an exploit.
The exploit was first brought to light by blockchain security firm PeckShield, which revealed that the attacker successfully transferred the blockchain’s Ethereum staking contract to another address.
Subsequently, the new owner upgraded the contract with a concealed function, enabling the withdrawal of staked tokens.
“There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function,” PeckShield wrote.
Hi @ShidoGlobal There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function. This hidden function is then called to withdraw all 4,353,473,223.864904 $SHIDO.
Here are related txs:
– owner… https://t.co/TZ6oMDGwMG pic.twitter.com/VGZtyg9PEf— PeckShield Inc. (@peckshield) February 29, 2024
At the time of writing, Shido is trading at $0.00141, down by more than 82% over the past day.
Attacker Withdraws Half of Shido’s Circulating Supply
The attacker managed to withdraw a staggering amount of over 4.3 billion Shido tokens.
According to data provided by CoinGecko, this accounted for nearly half of the total circulating token supply of approximately 9 billion.
At the time of the exploit, the market value of these tokens amounted to approximately $35 million.
The severity of the incident raised concerns within the cryptocurrency community and highlighted the vulnerability of blockchain projects to such exploits.
Pseudonymous on-chain researcher ZachXBT delved further into the matter and discovered that the exploiter’s address had been funded through cryptocurrencies initially bridged from the cross-chain protocol Layerswap and subsequently from the Arbitrum blockchain.
Additionally, ZachXBT claimed to have uncovered the real identity of the wallet owner responsible for funding the exploiter.
However, it appeared that even the wallet owner had fallen victim to a hack, as their assets were abruptly transferred prior to funding the exploiter.
So the address was funded via Across on Arbitrum and that was funded via Layerswap by this persons ENS.
I think they were hacked as well though bc their assets were suddenly transferred before funding the exploiter. pic.twitter.com/6Da2ybKuFY
— ZachXBT (@zachxbt) February 29, 2024
Shido, a layer-1 proof-of-stake blockchain, had been eagerly anticipating the launch of its mainnet.
In a recent announcement on February 24, the project had indicated that the mainnet launch would occur “next week.”
The SHIDO token, an Ethereum-based ERC-20 token, was designed to be staked on the project’s connected decentralized exchange (DEX), promising an annual yield of 8% to token holders.
Exploits Remain Rampant in Web3
The exploit targeting Shido comes just one day after Serenity Shield project, a multi-chain data storage startup, fell victim to a theft that compromised its MetaMask wallet.
The hack, which took place on one of Serenity’s wallets on BSC, allowed perpetrators stole around 6.9 million native SERSH tokens worth $5.6 million at the time of hack.
The exploit took a toll on the price of the native token, dragging SERSH from $0.565 to $0.009, a nearly 99% plunge.
As reported, bad actors have stolen $38.9 million from various Web3 projects in the first month of 2024.
One of the first major crypto hacks of the year occurred when Radiant Capital experienced a $4.5 million loss due to an empty market exploit.
Gamma Strategies, another affected platform, fell victim to a flash loan attack on January 4, shortly after the Radiant Capital incident.
The attack exploited a code bug, enabling the hackers to siphon $6.1 million from Gamma’s public-facing vaults.