The Shido token, associated with the layer-1 blockchain Shido, experienced a drastic 94% decline within a mere half-hour following an exploit on its Ethereum-based staking contract, as reported by PeckShield, a blockchain security firm.
PeckShield alerted its audience to the significant drop in value through a post on X dated February 29. Subsequently, the firm detailed how an exploiter gained control of the blockchain’s Ethereum staking contract, subsequently transferring it to another address. The new owner then upgraded the contract, embedding a concealed function to withdraw staked tokens.
Hi @ShidoGlobal There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function. This hidden function is then called to withdraw all 4,353,473,223.864904 $SHIDO.
Here are related txs:
– owner… https://t.co/TZ6oMDGwMG pic.twitter.com/VGZtyg9PEf— PeckShield Inc. (@peckshield) February 29, 2024
According to PeckShield, the attacker successfully withdrew more than 4.3 billion Shido tokens, which accounted for nearly half of the total circulating token supply of almost 9 billion, based on CoinGecko data.
Source: EtherScanPrior to the price plummet, these tokens were valued at approximately $35 million.
In a separate X post, pseudonymous on-chain researcher ZachXBT uncovered that the exploiter’s address received funding initially through cryptocurrency bridged from the cross-chain protocol Layerswap, followed by funds from the Arbitrum blockchain. ZachXBT also identified what they claimed to be the genuine identity of the wallet owner providing the initial funding, suggesting that their assets were also compromised, as they were swiftly transferred before being used to fund the exploiter.
So the address was funded via Across on Arbitrum and that was funded via Layerswap by this persons ENS.
I think they were hacked as well though bc their assets were suddenly transferred before funding the exploiter. pic.twitter.com/6Da2ybKuFY
— ZachXBT (@zachxbt) February 29, 2024
Following the incident’s onset, the Shido team issued an official statement, affirming that they had mitigated any further threats against Shido. They initiated an investigation into the matter and encouraged the hacker to engage in negotiations regarding a potential bounty. Additionally, Shido assured users who staked their tokens that their assets would be returned.
We currently know how the exploit technically happened. We have secured against any further threats against Shido.
A thorough investigation on the hacker is ongoing, we request the exploiter to contact Shido for a bounty.
All users that staked SHIDO, will have their tokens… pic.twitter.com/8YcmDL1Ldc
— Shido (@ShidoGlobal) February 29, 2024
Shido operates as a layer-1 proof-of-stake blockchain, yet to launch its mainnet. In a previous X post dated February 24, the project hinted at its mainnet launch announcement scheduled for the following week.
The big launch is coming closer. The start of a new era begins.
Shido Network mainnet launch date will be officially announced next week.
🌐 https://t.co/Lc4gqjAvEo pic.twitter.com/ZNKjf0epTl
— Shido (@ShidoGlobal) February 24, 2024
SHIDO, an Ethereum-based ERC-20 token, offered an 8% annual yield for staking on the project’s associated decentralized exchange (DEX), according to its website.
The past year witnessed over 600 crypto-related hacks resulting in $2.1 billion in losses, marking a nearly 30% decrease from 2022. In January of this year alone, there were 30 attacks resulting in $182.5 million in losses, as per PeckShield’s data. February also saw significant exploits, including the theft of $290 million from PlayDapp and several million dollars’ worth of crypto stolen through wallet breaches and phishing scams.