SharedStake, a decentralized ETH2.0 Staking-as-a-Service protocol, is in disarray after a suspected inside job.
In a series of transactions on June 19 and June 23, a ‘rogue developer’ withdrew $500K worth of SGT, the project’s governance token, from the team’s allocation. These tokens were locked in a vesting contract and were meant to be unlocked gradually over time as the project progressed.
The SGT tokens were subsequently dumped on the market and the price collapsed from $1.60 to under 3 cents. At the time of writing, SGT is trading at $0.12.
In this post-mortem, ImmuneFi reports that the vulnerability in the timelock code was identified nearly two months ago on April 26 and subsequently shared with the SharedStake team. Unfortunately, it seems that no action was taken to rectify the issue.
The fate of 16K ETH ($32M) hangs in the balance. Users deposited their ETH in the platform in exchange for vETH2, which can be redeemed for ETH when ETH2.0 launches. It remains unclear if the withdrawal keys needed for this process have been compromised.
Soon after the news broke on Twitter, the accusations began to fly in the project’s Discord. Two members of the anonymous development team, Chimera and Kairos, each accused the other of “pulling the rug”.
While anxious users worried about their staked ETH, the team members in question seemed to be in better spirits.
A team call was scheduled today to discuss possible solutions, but it is now unclear if it will take place, given that one of the team members seems to be leaving.
In the absence of clear guidance from the SharedStake team, concerned users have created their own Discord server to record information and discuss potential legal action.
This is a developing story and will be updated as we get more information.