A crypto developer is pleading for assist and providing a bounty value hundreds of thousands after unintentionally sending $25 million of Renzo tokens to the incorrect Ethereum deal with.
The dev despatched 7,912 ezETH, a kind of liquid restaking token value over $3,400 apiece, to what’s often called a Secure Module as an alternative of a Secure. With funds now frozen, the developer is providing 10% — a $2.5 million reward — to anybody who can retrieve his funds.
The tokens went to an Ethereum contract deal with labeled ‘CoboSafeAccount.’ Regardless of having keys to that pockets, the dev’s explicit token sort and a bug in ERC-20 transaction dealing with prohibit restoration. That CoboSafeAccount now holds about $27 million in Renzo Restaked ETH (ezETH) — barely larger than his preliminary deposit as a consequence of Monday’s rally within the worth of ether (ETH).
Renzo is a liquid restaking protocol that interoperates with EigenLayer, a layer 2 on Ethereum. It permits customers to achieve entry to Ethereum’s proof-of-stake yield by merely proudly owning ezETH quite than truly staking ETH as a solo staker.
Renzo presently boasts $1.6 billion in whole restaking worth on its platform.
A bug in ERC-20 transaction dealing with?
A hacker who goes by “Dexaran” commented on the $27 million in frozen ezETH, saying the issue is a safety concern with ERC-20 contracts that Ethereum builders have failed to repair since 2017. Particularly, Dexaran says ERC-20 switch capabilities lack correct dealing with protocols.
It additionally lacks failsafe defaults and error-handling protocols that might have prevented errors just like the one dedicated by the CoboSafeAccount proprietor.
Dexaran says he developed the ERC-223 customary, which provides allegedly superior transaction dealing with. He additionally engaged with Ethereum builders about ERC-223 with restricted success.
The CoboSafeAccount proprietor confirmed that the contract had no switch perform.
Will a bounty convey Renzo to the rescue?
At this level, in line with many feedback on X, Renzo’s personal builders are most likely the one means for the beleaguered dev to recuperate his $27 million. Renzo, as proprietor of the ezETH contract, may replace the contract to permit funds to be retrieved. Nonetheless, that might require gaining the cooperation of devs chargeable for a billion-dollar protocol.
Pressing Request for Assist!
To all expert hackers and white hats on the market: I’ve misplaced a major sum of funds in a contract and urgently need assistance recovering it. In case you can efficiently retrieve the funds, I’ll instantly provide a ten% reward, which is roughly $2.5 million…
— 我有一个狗王梦 (@qklpjeth) November 10, 2024
Some commenters steered providing Renzo the bounty whereas others provided to barter with Renzo or really helpful placing social strain on the workforce.
Some additionally steered that the CoboSafeAccount proprietor may add himself as a delegate and use execTransaction to get the funds out if he controls the contract. That methodology doesn’t but appear profitable.
The decision of the problem continues to be pending. Renzo would possibly resolve to replace their contract to present this developer a workaround to the bug in ERC-20 transaction dealing with. Nonetheless, it’s equally possible that the funds shall be caught eternally.
