Following an exploitation of the Ethereum-based staking contract on Shido’s layer-1 blockchain, the token has experienced a drastic 85% decline. The breach was initially uncovered by blockchain security firm PeckShield, which disclosed that the attacker successfully moved the blockchain’s Ethereum staking contract to a different address.
Subsequently, the new controller enhanced the contract with a concealed feature, allowing for the withdrawal of staked tokens. PeckShield detailed, “There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function.”
As of the current writing, Shido is valued at $0.00141, marking a decrease of more than 82% within the last 24 hours.
Attacker Withdraws Half of Shido’s Circulating Supply
The attacker successfully withdrew an astounding amount exceeding 4.3 billion Shido tokens. According to CoinGecko’s data, this constituted nearly half of the total circulating token supply, which was approximately 9 billion.
At the time of the exploit, the market value of these tokens reached approximately $35 million. This incident’s severity has stirred concerns within the cryptocurrency community, shedding light on the vulnerability of blockchain projects to such exploits.
Delving deeper into the matter, pseudonymous on-chain researcher ZachXBT found that the exploiter’s address had initially been funded through cryptocurrencies bridged from the cross-chain protocol Layerswap and subsequently from the Arbitrum blockchain. Additionally, ZachXBT claimed to have uncovered the true identity of the wallet owner responsible for funding the exploiter.
It seems that even the wallet owner had been compromised, as their assets were swiftly transferred before funding the exploiter.
Shido, a layer-1 proof-of-stake blockchain, had been eagerly awaiting the launch of its mainnet. In a recent announcement on February 24, the project had hinted that the mainnet launch was imminent, stating it would happen “next week.”
The SHIDO token, an Ethereum-based ERC-20 token, was created for staking on the project’s linked decentralized exchange (DEX), offering token holders an annual yield of 8%.
Exploits Remain Rampant in Web3
The exploit targeting Shido occurred just one day after the Serenity Shield project, a multi-chain data storage startup, fell victim to a theft that compromised its MetaMask wallet.
The hack, which targeted one of Serenity’s wallets on Binance Smart Chain (BSC), resulted in perpetrators stealing approximately 6.9 million native SERSH tokens valued at $5.6 million at the time of the hack.
This exploit significantly impacted the price of the native token, causing SERSH to plummet from $0.565 to $0.009, representing an almost 99% drop.
Reports indicate that bad actors have siphoned $38.9 million from various Web3 projects in the first month of 2024.
One of the initial major crypto hacks of the year involved Radiant Capital, which experienced a $4.5 million loss due to an empty market exploit.
Shortly after the Radiant Capital incident, Gamma Strategies, another affected platform, fell victim to a flash loan attack on January 4. The attack exploited a code bug, allowing hackers to drain $6.1 million from Gamma’s public-facing vaults.