Google Drive
Gist
Clipboard
After the AnchorVault upgrade switching the bETH Anchor integration from using Shuttle to Wormhole bridge, two users have been able to execute transactions aimed for Shuttle-using code, effectively blocking their funds on unaccessible Terra addresses. The integration have been upgraded to prevent such events from happening. Users have been refunded, and the funds corresponding to the amount locked on Terra has been recovered from the AnchorVault.
On Jan 26th, 2022 Anchor bETH integration had been migrated 3 from using the Shuttle bridge to the Wormhole bridge. The upgrade lacked smart contract API versioning, allowing two users to send the total of 443.56111857 webETH (Terra-side Wormhole bETH) to inaccessible Terra addresses. The affected users have been refunded on Jan 27th, 2022 from the dev team’s funds. The bETH Anchor integration has been down for about 6 hours from 12:16 PM UTC to 5:52PM UTC. Refunding the dev team by unlocking stETH from the AnchorVault contract has been performed with AnchorVault upgrade on Feb 10th, 2022.
The root cause has been that upgraded contracts retained backwards compatibility, allowing users to send txs from the old UI version to the new contracts without reverts.
To prevent such kind of incidents from happening, the team has implemented versioning into the AnchorVault, and formulated the policy for upgradable contracts across the Lido codebase. The policy has been published as LIP-10. On a lower level, all state-changing methods used in UI now include version number as the parameter, preventing the txs formed by old UI versions to ever pass into the contracts after the upgrade. Internal guidelines regarding contract upgrades have been tweaked as well.
The fix has been implemented so that no third party integrations are interrupted. On Ethereum, AnchorVault received a tweak to take the refunded stETHs into account in internal calculations. For the Wormhole, bETH tokens locked on the Ethereum Wormhole bridge address corresponded 1-1 to the webETHs on Terra. On the Anchor side, as webETH balances don't affect rewards distribution (only original bETH token balances do), so no impact as well.
AnchorVault.submit transactions using the outdated UI, either because they had a browser tab with the old UI open or due to the browser caching issues. These transactions (0xc875f85f525d9bc47314eeb8dc13c288f0814cf06865fc70531241e21f5da09d, 0x7abe086dd5619a577f50f87660a03ea0a1934c4022cd432ddf00734771019951) contained Terra addresses encoded using right zero padding.or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe