CointelegraphCointelegraph

Shido token plummets 94% as exploiter drains Ethereum staking contract

Update Feb. 29, 11:54 AM UTC: This article has been updated to add Shido's announcement.

The token for the layer-1 blockchain Shido dropped as much as 94% in just 30 minutes after suffering an exploit on its Ethereum-based staking contract.

Blockchain security firm PeckShield alerted its followers to the drop in a Feb. 29 X post. In a follow-up post, it explained an exploiter managed to transfer the blockchain’s Ethereum staking contract to another address with the new owner then upgrading the contract with a hidden function to withdraw staked tokens.

PeckShield Inc.
@peckshield

Hi @ShidoGlobal There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function. This hidden function is then called to withdraw all 4,353,473,223.864904 $SHIDO.

Here are related txs:

- owner… https://t.co/TZ6oMDGwMG pic.twitter.com/VGZtyg9PEf

Feb 29, 2024

PeckShield said the attacker had withdrawn over 4.3 billion Shido tokens — nearly half of the almost 9 billion circulating token supply, per CoinGecko data.

Before the price drop, those tokens were worth around $35 million.

In an X post, pseudonymous on-chain researcher ZachXBT said they’d found the exploiter’s address was funded through crypto first bridged from the cross-chain protocol Layerswap and then from the Arbitrum blockchain. 

ZachXBT
@zachxbt

So the address was funded via Across on Arbitrum and that was funded via Layerswap by this persons ENS.

I think they were hacked as well though bc their assets were suddenly transferred before funding the exploiter. pic.twitter.com/6Da2ybKuFY

Feb 29, 2024

ZachXBT found what they said was the real identity of the wallet owner which funded the exploiter but said they too appeared to be hacked as “their assets were suddenly transferred before funding the exploiter.”

Hours after the start of the incident, the Shido team posted an official announcement, saying that they had secured any further threats against Shido. The protocol also said they had started investigating and urged the hacker to contact them to negotiate a bounty. Shido also promised that users who staked their tokens would have their assets returned.

Shido is a layer-1 proof-of-stake blockchain that has yet to launch its mainnet. It said in a Feb. 24 X post that it was announcing its mainnet launch “next week.”

SHIDO, is an Ethereum-based ERC-20 token that could be staked on the project's connected decentralized exchange (DEX) to earn an 8% annual yield, according to its website.

Shido did not immediately respond to a request for comment on the contract exploit.

Last year saw over 600 crypto-related hacks with $2.1 billion in losses, a nearly 30% decrease from 2022, and so far this year January had 30 attacks with $182.5 million lost, according to PeckShield.

February could also end on a big month for exploiters, with $290 million stolen from PlayDapp and a further few million dollars worth of crypto stolen in various wallet breaches and phishing scams.